MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » April 2014

RE: OpenSSL Vulnerability Notice



fixed

IBM announced another vulnerability and more i5/OS PTF fixes.
These PTFs downloaded today, were included in Group Security SF99708

http://www-01.ibm.com/support/docview.wss?uid=nas8N1020038

OpenSSL could allow a local attacker to obtain sensitive information, caused by an implementation error in ECDSA (Elliptic Curve Digital Signature Algorithm).


AFFECTED PRODUCTS AND VERSIONS:
Releases V5R3, V5R4, 6.1 and 7.1 of IBM i are affected.

REMEDIATION:
The issue can be fixed by applying a PTF to the IBM i Operating System.

Releases 6.1 and 7.1 of IBM i are supported and will be fixed. Releases V5R3 and V5R4 are unsupported and will not be fixed.

The IBM i PTF numbers are:

Release 6.1 - SI53046
Release 7.1 - SI53024

Paul


From: Steinmetz, Paul
Sent: Tuesday, April 22, 2014 10:32 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: OpenSSL Vulnerability Notice

Need some input and confirmation on this.
OpenSSL Vulnerability impacted us possibly 3 ways.

1) I5/OS - confirmed ok, no PTFs needed, but I read a PTF may be forthcoming.
2) I5 Firmware - Power7+ impacted, Power 7 and below ok (I'm at Power 7 740-8205-E6C-AL740_121)
3) HMC code - MH PTFs are needed.

Paul

From: Steinmetz, Paul
Sent: Monday, April 21, 2014 9:43 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: OpenSSL Vulnerability Notice


Another update from IBM.

Would a Power 740-8205-E6C be vulnerable?.

It wasn't one of the items in the link.

In its security bulletin<https://www-304.ibm.com/support/docview.wss?uid=nas8N1020034>, IBM advised that Power Systems firmware was affected by the Heartbleed vulnerability, CVE-2014-0160, and advised customers to take action. The bulletin applies to the Power Systems server Firmware, HMC, and SDMC. You can find the bulletin at www-304.ibm.com/support/docview.wss?uid=nas8N1020034<https://www-304.ibm.com/support/docview.wss?uid=nas8N1020034>.

According to IBM's bulletin, the vulnerability impacts all current Version 770 (including Power 710, 720, 730, 740, PowerLinux, 750, 760 and 780) servers, as well as Version 780 (including Power 770, 780, and 795) machines. Customers on Version 770 machines are advised to immediately upgrade their firmware to 01Ax770_076 or higher, while customers on Version 770 machines are advised to apply 01Ax780_054 or higher. IBM advises customers to find the fixes at its Fix Central<http://www-933.ibm.com/support/fixcentral/> website
Paul

From: Steinmetz, Paul
Sent: Monday, April 21, 2014 9:00 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: OpenSSL Vulnerability Notice


HMC also impacted.


System i HMC updates: Security fixes




*


Announcing MH01422 Fix for CVE-2014-0160 and CVE-2014-0076 for HMC V7 R7.7.0 SP3<http://www14.software.ibm.com/webapp/set2/subscriptions/iqvcmjd?mode=18&ID=2633&myns=ihmc&mync=E>




Please click on the above link to read details about PTF MH01422.





*


Announcing MH01425 Fix for CVE-2014-0160 and CVE-2014-0076 for HMC V7 R7.7.0 SP2<http://www14.software.ibm.com/webapp/set2/subscriptions/iqvcmjd?mode=18&ID=2634&myns=ihmc&mync=E>




Please click on the above link to read details about PTF MH01425.





*


Announcing MH01423 Fix for CVE-2014-0160 and CVE-2014-0076 for HMC V7 R7.8.0 SP1<http://www14.software.ibm.com/webapp/set2/subscriptions/iqvcmjd?mode=18&ID=2635&myns=ihmc&mync=E>




Please click on the above link to read details about PTF MH01423.







Paul



-----Original Message-----
From: Steinmetz, Paul
Sent: Wednesday, April 16, 2014 10:46 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: OpenSSL Vulnerability Notice



Is everyone changing their AS/400 passwords because of the vulnerability?



-----Original Message-----

From: midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx> [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Roger Harman

Sent: Tuesday, April 15, 2014 11:10 AM

To: Midrange Systems Technical Discussion

Subject: RE: OpenSSL Vulnerability Notice



I've never understood that "if it ain't broke...." line of thought. It *IS* broken, you just may not be affected.... YET.





To: midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>

Subject: RE: OpenSSL Vulnerability Notice

From: rob@xxxxxxxxx<mailto:rob@xxxxxxxxx>

Date: Tue, 15 Apr 2014 08:12:28 -0400



Exactly what we do.





Rob Berendt

--

IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600

Mail to: 2505 Dekko Drive

Garrett, IN 46738

Ship to: Dock 108

6928N 400E

Kendallville, IN 46755

http://www.dekko.com











From: Mike Cunningham <mike.cunningham@xxxxxxx<mailto:mike.cunningham@xxxxxxx>>

To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>

Date: 04/15/2014 08:08 AM

Subject: RE: OpenSSL Vulnerability Notice

Sent by: midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>







That is not us. We get cumulative packages and groups every quarter

and apply even if we have not issues



-----Original Message-----

From: midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx> [

mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx<mailto:rob@xxxxxxxxx>

Sent: Tuesday, April 15, 2014 7:41 AM

To: Midrange Systems Technical Discussion

Subject: RE: OpenSSL Vulnerability Notice



Paul,



There are going to people who skip right over this email. Why?

Because they don't like to apply PTF's with the mentality "If it ain't

broke, don't fix it.". It upsets them to find out that they're broke.





Rob Berendt

--

IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600

Mail

to: 2505 Dekko Drive

Garrett, IN 46738

Ship to: Dock 108

6928N 400E

Kendallville, IN 46755

http://www.dekko.com











From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx<mailto:PSteinmetz@xxxxxxxxxx>>

To: "'Midrange Systems Technical Discussion'"

<midrange-l@xxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxx>>

Date: 04/14/2014 03:39 PM

Subject: RE: OpenSSL Vulnerability Notice

Sent by: midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx>







Previously, we stated that if running OpenSSL 0.9.8, we were safe.

However, there was additional info in "The Four Hundred" dated 4/14,

that states there are additional issues resolved by multiple PTFs.



http://www.itjungle.com/tfh/tfh041414-story02.html





"That leaves us the unexpected news. While the Heartbleed

vulnerability doesn't impact the IBM i utilities package because it is

running an older version of OpenSSL, other recently discovered OpenSSL

vulnerabilities do impact IBM i. According to Watkins, IBM is

currently working on a patch for CVE-2014-0076, or the "FLUSH+RELOAD

Cache Side-channel Attack," which was disclosed March 25. You will

want to keep an eye out for the PTF when it's ready.



In the last week, IBM has patched several other recently disclosed

OpenSSL



vulnerabilities that do impact the IBM i utility. CVE-2013-0169, or

the "Lucky Thirteen" flaw, was addressed by IBM with PTFs SI49896,

SI49904, and SI49867. CVE-2013-0166, a signature verification flaw,

was addressed with SI49896, SI49904, and SI49867. To view PTF cover

sheets and other related information on security patches for IBM i, go

to the Preventive Service Planning webpage. You will probably want to

apply these patches pronto. You will also want to make sure your other

IBM products (WebSphere, Apache Web server, Notes/Domino) aren't impacted as well.



Several other recently disclosed OpenSSL vulnerabilities that don't

impact



the IBM i OpenSSL utility package include CVE-2013-4353,

CVE-2013-6450, CVE-2013-6449, and CVE-2012-2686.



IBM isn't the only software vendor to use OpenSSL, of course, and

there are several IBM i products that may also be affected by the

Heartbleed flaw, but they don't appear to be in widespread use. This

includes a client for a Subversion change management system from the

Russian software



company Banking Technologies and Consulting, and the old firewall from

Stonesoft (now part of McAfee. There are undoubtedly others.



Townsend Security does use OpenSSL in its Alliance Key Manager

solution, but it doesn't use a version that is affected by Heartbleed,

CEO Patrick Townsend tells IT Jungle. "Townsend Security does NOT use

OpenSSL in any of our IBM i products," Townsend says. The company's

complete statement on



the Heartbleed vulnerability can be read here.



Similarly, Linoma Software, which provides encryption and MFT software

for



IBM i, also doesn't use OpenSSL. Instead it relies on the JSSE

implementation of SSL/TLS for encrypted sessions. You can read

Linoma's take on the matter here.



Now's the fun part: Time to go change all your passwords! If you have

any questions about which websites are particularly susceptible, check

out the



free Heartbleed vulnerability test website, www.ssllabs.com<http://www.ssllabs.com>, which was

set



up by Qualys."



-----Original Message-----

From: midrange-l-bounces@xxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxx> [

mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Pete Helgren

Sent: Thursday, April 10, 2014 8:56 AM

To: Midrange Systems Technical Discussion

Subject: Re: OpenSSL Vulnerability Notice



If that is an SSH connection, you aren't vulnerable. SSH only uses

the OpenSSL library for cryptography...the TLS portion of OpenSSL is

what uses



the "heartbeat" and has the problem. So, SSH (say puTTY using SSH)

isn't vulnerable....



Pete Helgren

www.petesworkshop.com<http://www.petesworkshop.com>

GIAC Secure Software Programmer-Java



On 4/9/2014 6:10 PM, Jerry Draper wrote:

When I connect to a server using OpenSSL I get this response when

the command line switch is set to -vvv:



OpenSSH_4.7p1, OpenSSL 0.9.8y 5 Feb 2013



Is this my client version or the version of the server?



Thanks,



Jerry





--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,

unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take

a moment to review the archives at http://archive.midrange.com/midrange-l.



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,

unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take

a moment to review the archives at

http://archive.midrange.com/midrange-l.





--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,

unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take

a moment to review the archives at

http://archive.midrange.com/midrange-l.



--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,

unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take

a moment to review the archives at

http://archive.midrange.com/midrange-l.





--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe,

unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take

a moment to review the archives at

http://archive.midrange.com/midrange-l.





--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/midrange-l

or email: MIDRANGE-L-request@xxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxx> Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.







Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact