× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. October 2023

RE: Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to man-in-the-middle spoofing attack (CVE-2022-39161)

No, this is for verification of the certificate(s) returned by the application server for TLS communication. In certificates, you have a common name, and Subject Alternate Names. Domain name and IP address values are the values you would specify if you chose to use this support.

For example, if you go to www.ibm.com<http://www.ibm.com>, and examine the certificate, you would see these values:

Common Name: www.ibm.com
Subject Alt Names:
DNS Name www.ibm.com<http://www.ibm.com>
DNS Name 1.cms.s81c.com
DNS Name 1.cmsnew.s81c.com
.
.
.

These are the value(s) you would use.

-----------------------------------------------
Nadir Amra
e-mail: amra@xxxxxxxxxx


From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of Rob Berendt <robertowenberendt@xxxxxxxxx>
Date: Tuesday, October 24, 2023 at 12:41 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: [EXTERNAL] Re: Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to man-in-the-middle spoofing attack (CVE-2022-39161)
I understood that the ibm.com's were examples.
My question was: am I supposed to list all hosts which may connect to this
site?

On Mon, Oct 23, 2023 at 3:33 PM Nadir Amra <amra@xxxxxxxxxx> wrote:

First, you should be complete with cover letter:

Here is an example.

To enable integrated web services server WSERVICE to allow
certificates with DNS names of ibm.com, developer.ibm.com:

webPluginConfig.sh -operation *UPDATE
-server WSERVICE -secureHostVerification true
-hostAliases ibm.com,developer.ibm.com

The use of ibm.com,developer.ibm.com is an EXAMPLE.

Second, the “fix” enables you to ensure certificates used for TLS
connection that the HTTP server plug-in receives from the application
server is what is expected. Domain names or IP addresses are specified in
the Subject Alternative Name field of the certificate. It is simply
another check.

If you want more detailed information, please read the CVE.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.