copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2012.0713 - [Appliance] WebSphere DataPower SOA ...
 

ESB-2012.0713 - [Appliance] WebSphere DataPower SOA Appliances: Denial of service - Remote/unauthenticated
Date: 30 July 2012
References: ESB-2012.0388  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0713
    ASN.1 PARSING VULNERABILITY IN SOME DATAPOWER SERVICES AND COMMANDS
                               30 July 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           WebSphere DataPower SOA Appliances
Publisher:         IBM
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-2110  

Reference:         ESB-2012.0388

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg1IC84088

- --------------------------BEGIN INCLUDED TEXT--------------------

IC84088: ASN.1 PARSING VULNERABILITY IN SOME DATAPOWER SERVICES AND COMMANDS
(CVE-2012-2110)
 
APAR status
Closed as program error.

Error description
An appliance restart or other unpredictable behavior can be
triggered by malicious ASN.1 content coming into the DataPower
appliance from a variety of entry points.

The problem can be externally triggered from malicious network
data entering services as follows:
  - compressed or signed or encrypted messages entering a B2B
Gateway
  - signed or encrypted messages entering a service with a
cryptobin action set to verify or decrypt the messages

The problem can also be triggered from certain CLI commands (and
their WebGUI/SOMA equivalents):

  - boot image (firmware upgrade action)
  - certificate (Crypto Certificate configuration)
  - crypto-import (action)
  - decrypt (deprecated S/MIME file crypto action)
  - key (Crypto Key configuration)
  - verify (deprecated S/MIME file crypto action)

This problem can also be triggered by modifying the contents of
files used by existing Crypto Key and Crypto Certificate objects
(the new file will be read at the next firmware restart or
object reconfiguration).

This problem is known as CVE-2012-2110.

Local fix
Restrict access to the affected CLI commands.  There is no local
fix for this problem in cryptobin and B2B Gateway services.
Problem summary
A vulnerability exists when parsing malicious improperly-formed
ASN.1 data.  It can cause unpredictable results including an
appliance restart.

Malicious data can enter the appliance from the network
when a service is configured to decrypt or perform
signature verification, as B2B AS1/AS2/AS3 messages to
be processed by a B2B Gateway, or as PKCX#7 or S/MIME
traffic to be processed by a cryptobin action.  In addition,
various CLI commands that refer to ASN.1-encoded data can
potentially be entrypoints for malicious data.

This problem is known as CVE-2012-2110.

Problem conclusion
The fix is available in 3.8.2.14, 4.0.1.12 and 4.0.2.8.

Temporary fix
Restrict access to the affected CLI commands (including commands
that can modify ASN.1 data referenced by existing objects).
There is no temporary fix for the network entrypoints.

Comments
APAR Information
APAR number		IC84088
Reported component name	DATAPOWER
Reported component ID	DP1234567
Reported release	402
Status			CLOSED PER
PE			NoPE
HIPER			NoHIPER
Special Attention	NoSpecatt
Submitted date		2012-06-12
Closed date		2012-07-25
Last modified date	2012-07-25

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information
Fixed component name	DATAPOWER
Fixed component ID	DP1234567

Applicable component levels
R382 PSY   		UP
R401 PSY   		UP
R402 PSY   		UP

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUBXl0e4yVqjM2NGpAQIpdhAAvYdB/pZXpwB2kFsqEb9V++GqZadjQ6v1
7x31ZgW7aK1N6yMJl+jL7ltAxz+WD4qULnKo/WDrl6JqR9Ood/P4KBt0i4AKye/x
NbyOxzGqq5P3MgI6sT/9ocxAA1ZFFm1OOiQRm/c+AzWJLUuyJoSELJxnThQScvcR
ZPVTlJLOOx0Th2WAeEySw21zGr4RuBvZTpHclt64XMfAELQODnJ0zdMOYB22hAvf
zUsgUrIKGzz8c3JGlGG+LbLHKrK2hcJfkcSA3o3oTLmrnJv9E1uXJywtHFPhcIQs
0rTi6zRKeL1O1//vgIDBwYk0DXXYXaORKvd2n7ZPzX0g0JS7oYFR5bUTtvQ2oSky
MfFhL38cQgyJMoSlDR0mVOHfFteX2cUcGHvJmUdCIwbk3OrbWbFlR9fyexwqhaO8
czVLXxgP6gSlS73euY1mFE7gPQOc/tRrslv7HcV8jvJffd4Map9oC5dRb1DQhOcj
Lt0oTcZrFQvCZImEF4TnQDWkVPgCXiVCn7BxjUfLT+RJXoa/L/DhSSij4cK4OJ+l
6RQ93cPDi5RwANolxlSSxPjfn3JaPrBB1vC3ueDCc27pnU8INObpCEo522TNb+ob
Bnwf7KnWZoZ1Xc+xylZunLZffAABn2c3h+/Fda0JocM5LiFdqp96BVh5o+V9WvC+
b47TsSi0Ix8=
=VVbD
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=16136