WebSphere MQ Security Bulletin: multiple vulnerabilities in GSKit component
WebSphere MQ Security Vulnerability: There is the potential for invalid SSL or TLS record data to be injected by an attacker to perform a denial of service attack. There is also potential for a malicious certificate authority (CA) certificate to be injected into keystore via an import of a PKCS#12 file without authentication.
CVE ID: CVE-2012-2191, CVE-2012-2203
There are two security vulnerabilities in the GSKit component of WebSphere MQ. The vulnerabilities can only be exploited if the GSKit component of MQ is being used: (a) for certificate management, or (b) to implement SSL or TLS enabled channels.
CVE-2012-2191 (CVSS 5)
An invalid data size in either SSL or TLS records could lead to segmentation violation in GSKit.
CVE-2012-2203 (CVSS 5.8)
RFC 5208 states that the message authentication code (MAC) for certificate data in PKCS#12 files is optional. A PKCS#12 file could be modified prior to being imported into GSKit keystores to contain a malicious CA certificate without having a MAC.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/77280 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Certain versions of the GSKit component of WebSphere MQ are affected, refer to the remediation section for more information.
- WebSphere MQ 7.0.1 on all platforms (except IBM i and z/OS)
- WebSphere MQ 7.1 on all platforms (except IBM i and z/OS)
- WebSphere MQ 7.5 on all platforms (except IBM i and z/OS)
Fixes for both these vulnerabilities are included in GSKit versions 220.127.116.11 and 18.104.22.168 and later, provided by MQ fix packs.
WebSphere MQ 7.0.1
Apply fix pack 22.214.171.124 or later. See http://www.ibm.com/support/docview.wss?rs=171&uid=swg24033008
WebSphere MQ 7.1
Apply fix pack 126.96.36.199 when available. In the interim apply APAR IC87061
WebSphere MQ 7.5
Apply fix pack 188.8.131.52 when available. In the interim apply APAR IC87061
Utilize filesystem security to limit write access to PKCS#12 files to avoid a malicious CA certificate from being injected.
Complete CVSS Guide ( http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 ( http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
CVE-2012-2191 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2191)
CVE-2012-2203 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2203)
WebSphere MQ 184.108.40.206 ( http://www-01.ibm.com/support/docview.wss?uid=swg21601150)
22nd October 2012: Original Copy Published
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
WebSphere MQ WMQ
More support for:
Software version: 7.0.1, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 7.1, 22.214.171.124, 7.5
Operating system(s): AIX, HP Itanium, HP-UX, Linux, Linux Red Hat - i/p Series, Linux Red Hat - xSeries, Linux Red Hat - zSeries, Linux SUSE - xSeries, Linux SUSE - zSeries, Linux SuSE - i/p Series, Linux iSeries, Linux on Power, Linux zSeries, Solaris, UNIX, Windows
Software edition: All Editions
Reference #: 1614483
Modified date: 2012-10-23