MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » April 2014

RE: OpenSSL Vulnerability Notice



fixed

Is everyone changing their AS/400 passwords because of the vulnerability?

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Roger Harman
Sent: Tuesday, April 15, 2014 11:10 AM
To: Midrange Systems Technical Discussion
Subject: RE: OpenSSL Vulnerability Notice

I've never understood that "if it ain't broke...." line of thought. It *IS* broken, you just may not be affected.... YET.


To: midrange-l@xxxxxxxxxxxx
Subject: RE: OpenSSL Vulnerability Notice
From: rob@xxxxxxxxx
Date: Tue, 15 Apr 2014 08:12:28 -0400

Exactly what we do.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Mike Cunningham <mike.cunningham@xxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 04/15/2014 08:08 AM
Subject: RE: OpenSSL Vulnerability Notice
Sent by: midrange-l-bounces@xxxxxxxxxxxx



That is not us. We get cumulative packages and groups every quarter
and apply even if we have not issues

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [
mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Tuesday, April 15, 2014 7:41 AM
To: Midrange Systems Technical Discussion
Subject: RE: OpenSSL Vulnerability Notice

Paul,

There are going to people who skip right over this email. Why?
Because they don't like to apply PTF's with the mentality "If it ain't
broke, don't fix it.". It upsets them to find out that they're broke.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 04/14/2014 03:39 PM
Subject: RE: OpenSSL Vulnerability Notice
Sent by: midrange-l-bounces@xxxxxxxxxxxx



Previously, we stated that if running OpenSSL 0.9.8, we were safe.
However, there was additional info in "The Four Hundred" dated 4/14,
that states there are additional issues resolved by multiple PTFs.

http://www.itjungle.com/tfh/tfh041414-story02.html


"That leaves us the unexpected news. While the Heartbleed
vulnerability doesn't impact the IBM i utilities package because it is
running an older version of OpenSSL, other recently discovered OpenSSL
vulnerabilities do impact IBM i. According to Watkins, IBM is
currently working on a patch for CVE-2014-0076, or the "FLUSH+RELOAD
Cache Side-channel Attack," which was disclosed March 25. You will
want to keep an eye out for the PTF when it's ready.

In the last week, IBM has patched several other recently disclosed
OpenSSL

vulnerabilities that do impact the IBM i utility. CVE-2013-0169, or
the "Lucky Thirteen" flaw, was addressed by IBM with PTFs SI49896,
SI49904, and SI49867. CVE-2013-0166, a signature verification flaw,
was addressed with SI49896, SI49904, and SI49867. To view PTF cover
sheets and other related information on security patches for IBM i, go
to the Preventive Service Planning webpage. You will probably want to
apply these patches pronto. You will also want to make sure your other
IBM products (WebSphere, Apache Web server, Notes/Domino) aren't impacted as well.

Several other recently disclosed OpenSSL vulnerabilities that don't
impact

the IBM i OpenSSL utility package include CVE-2013-4353,
CVE-2013-6450, CVE-2013-6449, and CVE-2012-2686.

IBM isn't the only software vendor to use OpenSSL, of course, and
there are several IBM i products that may also be affected by the
Heartbleed flaw, but they don't appear to be in widespread use. This
includes a client for a Subversion change management system from the
Russian software

company Banking Technologies and Consulting, and the old firewall from
Stonesoft (now part of McAfee. There are undoubtedly others.

Townsend Security does use OpenSSL in its Alliance Key Manager
solution, but it doesn't use a version that is affected by Heartbleed,
CEO Patrick Townsend tells IT Jungle. "Townsend Security does NOT use
OpenSSL in any of our IBM i products," Townsend says. The company's
complete statement on

the Heartbleed vulnerability can be read here.

Similarly, Linoma Software, which provides encryption and MFT software
for

IBM i, also doesn't use OpenSSL. Instead it relies on the JSSE
implementation of SSL/TLS for encrypted sessions. You can read
Linoma's take on the matter here.

Now's the fun part: Time to go change all your passwords! If you have
any questions about which websites are particularly susceptible, check
out the

free Heartbleed vulnerability test website, www.ssllabs.com, which was
set

up by Qualys."

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [
mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Pete Helgren
Sent: Thursday, April 10, 2014 8:56 AM
To: Midrange Systems Technical Discussion
Subject: Re: OpenSSL Vulnerability Notice

If that is an SSH connection, you aren't vulnerable. SSH only uses
the OpenSSL library for cryptography...the TLS portion of OpenSSL is
what uses

the "heartbeat" and has the problem. So, SSH (say puTTY using SSH)
isn't vulnerable....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java

On 4/9/2014 6:10 PM, Jerry Draper wrote:
When I connect to a server using OpenSSL I get this response when
the command line switch is set to -vvv:

OpenSSH_4.7p1, OpenSSL 0.9.8y 5 Feb 2013

Is this my client version or the version of the server?

Thanks,

Jerry


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.






Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact