Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0768
Security Bulletin: Potential Security Exposure in IBM HTTP Server
CVE-2013-0169 PM85211 & PM85211: TLS spec vulnerability (CVE-2013-0169)
3 June 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WebSphere Application Server
IBM HTTP Server
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
z/OS
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0169
Reference: ASB-2013.0069
ASB-2013.0025
ESB-2013.0767
ESB-2013.0760
ESB-2013.0749
ESB-2013.0744
ESB-2013.0712
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21635988
http://www-01.ibm.com/support/docview.wss?uid=swg24035061
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Potential Security Exposure in IBM HTTP Server
CVE-2013-0169 PM85211
Flash (Alert)
Document information
WebSphere Application Server
Security
Software version:
6.1, 7.0, 8.0, 8.5
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS
Software edition:
Base, Developer, Express, Network Deployment
Reference #:
1635988
Modified date:
2013-05-30
Abstract
Potential Security Exposure with IBM HTTP Server for WebSphere Application
Server
Content
VULNERABILITY DETAILS:
CVE ID: CVE-2013-0169 (PM85211)
DESCRIPTION: The TLS protocol in the GSKIT component of the IBM HTTP Server
does not properly consider timing side-channel attacks, which could allow a
remote attacker to conduct distinguishing attacks and plain-text recovery
attacks via statistical analysis of timing data for crafted packets, aka the
"Lucky Thirteen" issue.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81902 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
AFFECTED VERSIONS: This problem affects the IBM HTTP Server component in all
editions of WebSphere Application Server and bundling products:
· Version 8.5
· Version 8
· Version 7
· Version 6.1
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for
each named product as soon as practical
Fix: Apply a Fix Pack or PTF containing this APAR PM85211, as noted below:
For affected versions of IBM HTTP Server for WebSphere Application Server:
For V8.5.0.0 through 8.5.0.2 Full Profile:
Apply Interim Fix PM85211
- --OR--
Apply Fix Pack 8.5.5.0 or later (targeted to be available mid June 2013)
For V8.0.0.0 through 8.0.0.6:
Apply Interim Fix PM85211
- --OR--
Apply Fix Pack 8.0.0.7 or later (targeted to be available late August 2013)
For V7.0.0.0 through 7.0.0.27:
Apply Interim Fix PM85211
- --OR--
Apply Fix Pack 7.0.0.29 or later (targeted to be available late June 2013)
For V6.1.0.0 through 6.1.0.45:
Apply Interim Fix PM85211
- --OR--
Apply Fix Pack 6.1.0.47 or later (targeted to be available late September 2013)
· Workaround(s): None
· Mitigation(s): None
Important note: IBM strongly suggests that all System z customers be subscribed
to the System z Security Portal to receive the latest critical System z
security and integrity service. If you are not subscribed, see the
instructions on the System z Security web site. Security and integrity APARs
and associated fixes will be posted to this portal. IBM suggests reviewing the
CVSS scores and applying all security or integrity fixes as soon as possible
to minimize any potential risk.
For additional details and information on WebSphere Application Server product
updates:
For Distributed, see Recommended fixes for WebSphere Application Server.
For z/OS, see APAR/PTF Tables by version for IBM WebSphere Application Server
for z/OS.
REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2013-0169 xforce.iss.net/xforce/xfdb/81902
CHANGE HISTORY:
· 30 May 2013: Original copy published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------------
PM85211: TLS spec vulnerability (CVE-2013-0169)
Downloadable files
Document information
WebSphere Application Server
IBM HTTP Server
Software version:
6.1, 7.0, 8.0, 8.5
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Software edition:
Advanced, Base, Enterprise, Express, Network Deployment, Single Server
Reference #:
4035061
Modified date:
2013-05-30
Abstract
This interim fix upgrades the GSKit shipped with IBM HTTP Server to resolve the
CVE-2013-0169 TLS vulnerability.
Download Description
PM85211 resolves the following problem:
USERS AFFECTED:
IBM HTTP Servers using CBC ciphers
PROBLEM DESCRIPTION:
TLS spec vulnerability (CVE-2013-0169)
RECOMMENDATION:
Apply this fix if using CBC ciphers.
LOCAL FIX:
Disable CBC ciphers.
PROBLEM CONCLUSION:
The GSKit security library was updated to resolve the exposure.
This fix is targeted for IBM HTTP Server fixpacks/releases:
- - 6.1.0.47
- - 7.0.0.29
- - 8.0.0.7
- - 8.5.5.0
IBM HTTP Server is distributing an updated GSKit security library as an interim
fix.
No configuration is required once GSKit is updated to 7.0.4.45 or 8.0.14.27.
For IHS version 8.0 and 8.5:
The interim fix can be installed using Installation Manager (IM) with the
Web-based ("live") repository provided by IBM. It is necessary to de-select the
"Show recommended only" option within IM and to expand "Only fixes for version
8.x.y.z" to see the fix listed.
The interim fix is also available from Fix Central at the link listed in the
Download Package section below.
For IHS versions prior to 8.0:
This standalone GSKit update has been published to the IBM HTTP Server Fixes
download site,
and are located under the 'GSKit Version 7' section for your platform. Click
'here' to be taken to the login page.
For IBM HTTP Server 6.x releases, download the GSKit 7.0.4.45 package and
Readme
under the section labeled 'PM85211 - IHS Version 6'
For IBM HTTP Server 7.0 releases, download the GSKit 7.0.4.45 package and
Readme
under the section labeled 'PM85211 - IHS Version 7'
Installation Instructions
Review the readme.txt available with the fix for installation instructions.
Download package
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
Fix for
8.0.0.0 23 May 2013 US English 142299011 FC
- - 8.0.0.6
Fix for
8.5.0.0 23 May 2013 US English 142239112 FC
- - 8.5.0.2
Technical support
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html),
visit the WebSphere Application Server support web site
(http://www.ibm.com/software/webservers/appserv/was/support/), or contact
1-800-IBM-SERV (U.S. only).
Problems (APARS) fixed
PM85211
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUawMQ+4yVqjM2NGpAQJXjQ//cw+PQJsQ78ulv54mBOu5oHOBqZucGPcE
+y0ylttifQatjqPjDsxbLBo30F3DTZ7m/N4heGmKl+MV7oOmXlaUENWPaczSfs9k
4PrW9zZ1qJf3QGKh7JnaS7w520YkgIYUgUyzzmP95WSWh6JJwQh0AslL/gYI/HI4
qq+ipTl6p6E7ZuuAvT0LzTrx8puQ3a2ryCPY3I62jJEILUxA1BUu5sS6nHC/yOei
aQ3uIjV9GJOVmHK/j06bdVYHpDnh8xU4c9arE53dQnXFlugSdrIYeq07FUnIED6c
f2coxLAIpJSjXV3DfvvZs5/q+wxPRZsFD8/E5kYLx7LWM+8j/MaW+OmPrWEQjBvs
6UsHHO4rtDjEh+KbT3Us0H7mwwqeYlUZ32dnZ0meEeVPtSJ9IU5DFq3my8D0iNj+
YGbNd4/JavUMOzJnR+ioRqein0j0QXDJqFJOd0lI9ZerkeDJVOt9uKcuF5cPYwfH
PcnwaMyAXASJeCWTmgP//rIEcVi9xp5alj5dVhUwMjvxSNCD4LIb2mGzIrxiLexD
cpT/BjQoUsmsHR8yF0+1u3A7cFAcUq2CmX7GE8vfdWA/3K75aT6SIJfOHZdhntlU
p4ItmqJLE1pZhVYlPn5WoOWDktzwa+8UN2Mt7c4ZvECzYJ7xBFviCboK3sEFdMua
8tyETQxMyxg=
=6IPj
-----END PGP SIGNATURE-----