MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » April 2014

RE: OpenSSL Vulnerability Notice



fixed

That is not us. We get cumulative packages and groups every quarter and apply even if we have not issues

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Tuesday, April 15, 2014 7:41 AM
To: Midrange Systems Technical Discussion
Subject: RE: OpenSSL Vulnerability Notice

Paul,

There are going to people who skip right over this email. Why? Because they don't like to apply PTF's with the mentality "If it ain't broke, don't fix it.". It upsets them to find out that they're broke.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 04/14/2014 03:39 PM
Subject: RE: OpenSSL Vulnerability Notice
Sent by: midrange-l-bounces@xxxxxxxxxxxx



Previously, we stated that if running OpenSSL 0.9.8, we were safe.
However, there was additional info in "The Four Hundred" dated 4/14, that
states there are additional issues resolved by multiple PTFs.

http://www.itjungle.com/tfh/tfh041414-story02.html


"That leaves us the unexpected news. While the Heartbleed vulnerability
doesn't impact the IBM i utilities package because it is running an older
version of OpenSSL, other recently discovered OpenSSL vulnerabilities do
impact IBM i. According to Watkins, IBM is currently working on a patch
for CVE-2014-0076, or the "FLUSH+RELOAD Cache Side-channel Attack," which
was disclosed March 25. You will want to keep an eye out for the PTF when
it's ready.

In the last week, IBM has patched several other recently disclosed OpenSSL
vulnerabilities that do impact the IBM i utility. CVE-2013-0169, or the
"Lucky Thirteen" flaw, was addressed by IBM with PTFs SI49896, SI49904,
and SI49867. CVE-2013-0166, a signature verification flaw, was addressed
with SI49896, SI49904, and SI49867. To view PTF cover sheets and other
related information on security patches for IBM i, go to the Preventive
Service Planning webpage. You will probably want to apply these patches
pronto. You will also want to make sure your other IBM products
(WebSphere, Apache Web server, Notes/Domino) aren't impacted as well.

Several other recently disclosed OpenSSL vulnerabilities that don't impact
the IBM i OpenSSL utility package include CVE-2013-4353, CVE-2013-6450,
CVE-2013-6449, and CVE-2012-2686.

IBM isn't the only software vendor to use OpenSSL, of course, and there
are several IBM i products that may also be affected by the Heartbleed
flaw, but they don't appear to be in widespread use. This includes a
client for a Subversion change management system from the Russian software
company Banking Technologies and Consulting, and the old firewall from
Stonesoft (now part of McAfee. There are undoubtedly others.

Townsend Security does use OpenSSL in its Alliance Key Manager solution,
but it doesn't use a version that is affected by Heartbleed, CEO Patrick
Townsend tells IT Jungle. "Townsend Security does NOT use OpenSSL in any
of our IBM i products," Townsend says. The company's complete statement on
the Heartbleed vulnerability can be read here.

Similarly, Linoma Software, which provides encryption and MFT software for
IBM i, also doesn't use OpenSSL. Instead it relies on the JSSE
implementation of SSL/TLS for encrypted sessions. You can read Linoma's
take on the matter here.

Now's the fun part: Time to go change all your passwords! If you have any
questions about which websites are particularly susceptible, check out the
free Heartbleed vulnerability test website, www.ssllabs.com, which was set
up by Qualys."

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [
mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Pete Helgren
Sent: Thursday, April 10, 2014 8:56 AM
To: Midrange Systems Technical Discussion
Subject: Re: OpenSSL Vulnerability Notice

If that is an SSH connection, you aren't vulnerable. SSH only uses the
OpenSSL library for cryptography...the TLS portion of OpenSSL is what uses
the "heartbeat" and has the problem. So, SSH (say puTTY using SSH) isn't
vulnerable....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java

On 4/9/2014 6:10 PM, Jerry Draper wrote:
When I connect to a server using OpenSSL I get this response when the
command line switch is set to -vvv:

OpenSSH_4.7p1, OpenSSL 0.9.8y 5 Feb 2013

Is this my client version or the version of the server?

Thanks,

Jerry


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.






Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact