Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1141
Security Bulletin: Tivoli Workload Scheduler is affected by the following
OpenSSL vulnerabilities: CVE-2014-0224, CVE-2014-0221,
CVE-2014-0195, CVE-2014-3470
10 July 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Tivoli Workload Scheduler
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3470 CVE-2014-0224 CVE-2014-0221
CVE-2014-0195
Reference: ASB-2014.0073
ASB-2014.0071
ASB-2014.0069.2
ASB-2014.0068
ESB-2014.1139
ESB-2014.0890
ESB-2014.0889
ESB-2014.0888
ESB-2014.0887
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21678289
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Tivoli Workload Scheduler is affected by the following
OpenSSL vulnerabilities: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195,
CVE-2014-3470
Document information
More support for:
Tivoli Workload Scheduler
Software version:
8.4, 8.5, 8.5.1, 8.6, 9.1, 9.2
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Reference #:
1678289
Modified date:
2014-07-04
Security Bulletin
Summary
Security vulnerabilities have been discovered in OpenSSL that were reported
on June 5, 2014 by the OpenSSL Project
Vulnerability Details
CVE-ID: CVE-2014-0224
DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused
by the use of weak keying material in SSL/TLS clients and servers. A
remote attacker could exploit this vulnerability using a specially-crafted
handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93586 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE-ID: CVE-2014-0221
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a
recursion error in the DTLS client. By sending an invalid DTLS handshake,
a remote attacker could exploit this vulnerability to cause the application
to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93587 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-0195
DESCRIPTION: OpenSSL is vulnerable to a buffer overflow. By sending invalid
DTLS packet fragments, a remote attacker could exploit this vulnerability
to overrun the client or server and execute arbitrary code on a DTLS client
or server.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93588 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-ID: CVE-2014-3470
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the
implementation of anonymous ECDH ciphersuites. A remote attacker could
exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93589 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
TWS uses OpenSSL only for secure communication between internal processes.
For Tivoli Workload Scheduler Distributed, TWS nodes are impacted by
OpenSSL security exposure only if the TWS workstation has been defined
with "securitylevel" set to on or enabled or force.
The security exposures do not apply to the embedded WebSphere Application
Server but only to programs installed under <TWS home>/bin.
The security vulnerability applies to os400 Dynamic Agents only, does not
apply to Dynamic Agents or zCentric agents for all the other platforms.
For Tivoli Workload Scheduler for Applications, the programs that are
installed in
<TWS home>/methods are impacted if the agent that is hosting the methods
has been defined with a "securitylevel" set to on or enabled or force.
TWS is a backoffice application that usually runs over a
protected infrastructure where connections with outside networks is
forbidden. Connection with branch offices where TWS agents run are
always implemented through VPNs. For this reason SSL is not often used to
interconnect TWS nodes. Customers with high security demands activate SSL,
but they never let TWS nodes to communicate over unsecured networks.
Saying that, the probability of having attacks is very limited, moreover the
majority of the exposures belong to the "denial of service" category. This
in the worst case, will lead to the temporary unavailability of the attacked
TWS nodes.
Affected Products and Versions
Tivoli Workload Scheduler Distributed 8.4.0 FP07 and earlier
Tivoli Workload Scheduler Distributed 8.5.0 FP04 and earlier
Tivoli Workload Scheduler Distributed 8.5.1 FP05 and earlier
Tivoli Workload Scheduler Distributed 8.6.0 FP03 and earlier
Tivoli Workload Scheduler Distributed 9.1.0 FP01 and earlier
Tivoli Workload Scheduler Distributed 9.2.0 GA Level
Remediation/Fixes
IBM has provided patches for all affected versions.
APAR IV61392 has been opened to address the following vulnerabilities for
Tivoli Workload Scheduler:
CVE-2014-0224
CVE-2014-0221
CVE-2014-0195
CVE-2014-3470
Starting from July 4th, the following interim fixes for IV61392 will be
available for download on FixCentral
8.5.1-TIV-TWS-FP0005-IV61392
to be applied on top of Tivoli Workload Scheduler Distributed 8.5.1 FP05
8.4.0-TIV-TWS-FP0007-IV61392
to be applied on top of Tivoli Workload Scheduler Distributed 8.4 FP07
8.6.0- TIV-TWS-FP0007-IV61392
to be applied on top of Tivoli Workload Scheduler Distributed 8.6 FP03
9.2.0-TIV-TWS-FP0000-IV61392
to be applied on top of Tivoli Workload Scheduler Distributed 9.2.0
9.1.0- TIV-TWS-FP0001-IV61392
to be applied on top of Tivoli Workload Scheduler Distributed 9.1 FP01
and officially included in next fixpacks for the same Tivoli Workload
Scheduler for Application versions.
The fix has already been included in Tivoli Workload Scheduler Distributed
8.5 FP05, that has been released by June 30th.
Workarounds and Mitigations
None.
References
Complete CVSS Guide
On-line Calculator V2
Complete CVSS Guide
On-line Calculator V2
CVE-2014-0224
CVE-2014-0221
CVE-2014-0195
CVE-2014-3470
http://xforce.iss.net/xforce/xfdb/93586
http://xforce.iss.net/xforce/xfdb/93587
http://xforce.iss.net/xforce/xfdb/93588
http://xforce.iss.net/xforce/xfdb/93589
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
IBM Secure Engineering Web Portal
Change History
2014-02-07 : Original Copy Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU74IrhLndAQH1ShLAQLZwQ//fPZER01pIOIhNu3mEJdyrFk4JuLYCVsc
DiVKQNEibj5ZQ4Uc4Vl+pSms7kA7U5IecC+LAGpQpR+u+fRbZzP2uTVJgGGixy2u
2sDLkPWgpvyBtws8LjfuAANdyB8IW+SONKZ1XMgCejSRzeTaZNN5Yguya7fQRJ9F
8Qlmtf0REkhGzADz1tiHCW0Mqd8WLp1spihjVPZ/2FH2SMCFwDSHd1zHrJAQztnJ
Mw/vHwUB4toNwVOmyG9VJO7TCV1gnjJ7NT82s/P9GANPm+6DNixyI4xc+TwrhHNO
om1Ak/eL6SuL4A4SLereiAT3j4HMWuev4BYHcmILkb6b2P8r8TsbC/0hpZNZ+dpc
2nBNq9yyTQGt5ltmwCgT6VSKL3PPNnluPJlyYLzfHmkkYug5b1zLcGFothRVVHFi
OGCBlE3/OrJJ18bIdo7Mq/s1GWr5QtEbCZL7XXCluCfxqtiXQm76NFhXyp95lcnf
UfIvtZYzjdPOb316WNYpu+SgB8hhHpsu9y+IyKH1tKCvIga/32qN+PM8d23zAM2S
F4CXO53qe521Q2IOHRXZWpTAWEh+NFBRxKSYUMbszT3wwSG3mdVmBBjLCEPJxSq9
N/AlVYu6bLYV/UL7w660eMWTu3znauUq6xBU+m/P0AA5Otl8TaRu/nHJlq05zY7S
1zQxdCi/fts=
=08s+
-----END PGP SIGNATURE-----