IBMC47F5DFD15E6BD6B9FFF14D8378B7120F4BC199398E9A6239CF2201310954956Security Bulletin: An IBM Business Process Manager SSL connection can be established without host name verification: CVE-2012-5785
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.573 Medium
EPSS
Percentile
97.7%
Abstract
A Secure Sockets Layer (SSL) connection can be established without host name verfication, which can make the connection vulnerable to a man-in-the-middle attack.
Content
While obtaining an SSL connection, the IBM Business Process Management (BPM) system does not validate the host name of the target connection against the SubjectDN of the certificate. This situation can make the connection vulnerable to a man-in-the-middle attack.
CVE ID: 2012-5785
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79830> for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
REMEDIATION
To eliminate a man-in-the-middle attack, apply Interim Fixes JR45329, JR45216, and JR45071, or apply a Fix Pack that contains these APARS. These changes verify the host name against the certificate SubjectDN value. Using the following links, download the interim fixes from IBM Fix Central for IBM Integration Designer, Business Space (IBM Business Monitor) and your applicable IBM Business Process Manager product:
- IBM Integration Designer: APAR JR45329
- Business Space: APAR JR45216
- IBM Business Process Manager Standard: APAR JR45071
- IBM Business Process Manager Express: APAR JR45071
- IBM Business Process Manager Advanced: APAR JR45071
If a system is incorrectly configured, setting the host name validation can result in the following error message:
HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector executeWithRetry I/O exception (javax.net.ssl.SSLException) caught when processing request: hostname in certificate didn't match: <certificatehostname> != <targethostname>
You can rectify this error message by making sure the presented certificate SubjectDN matches target the host name.
REFERENCES
- Complete CVSS v2 Guide
- On-line Calculator V2
- CVE 2012-5785
- X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/79830
Note: The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. You can evaluate the impact of this vulnerability in your environments by accessing the links in the Reference section of this document.
_
Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an βindustry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.β IBM PROVIDES THE CVSS SCORES βAS ISβ WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
[{βProductβ:{βcodeβ:βSSFTN5β,βlabelβ:βIBM Business Process Manager Advancedβ},βBusiness Unitβ:{βcodeβ:βBU053β,βlabelβ:βCloud \u0026 Data Platformβ},βComponentβ:βSecurityβ,βPlatformβ:[{βcodeβ:βPF002β,βlabelβ:βAIXβ},{βcodeβ:βPF016β,βlabelβ:βLinuxβ},{βcodeβ:βPF027β,βlabelβ:βSolarisβ},{βcodeβ:βPF033β,βlabelβ:βWindowsβ}],βVersionβ:β8.0.1;8.0;7.5.1;7.5β,βEditionβ:ββ,βLine of Businessβ:{βcodeβ:βLOB45β,βlabelβ:βAutomationβ}},{βProductβ:{βcodeβ:βSSFTDHβ,βlabelβ:βIBM Business Process Manager Standardβ},βBusiness Unitβ:{βcodeβ:βBU053β,βlabelβ:βCloud \u0026 Data Platformβ},βComponentβ:βSecurityβ,βPlatformβ:[{βcodeβ:βPF002β,βlabelβ:βAIXβ},{βcodeβ:βPF016β,βlabelβ:βLinuxβ},{βcodeβ:ββ,βlabelβ:βLinux zSeriesβ},{βcodeβ:βPF027β,βlabelβ:βSolarisβ},{βcodeβ:βPF033β,βlabelβ:βWindowsβ}],βVersionβ:β8.0.1;8.0;7.5.1;7.5β,βEditionβ:ββ,βLine of Businessβ:{βcodeβ:βLOB36β,βlabelβ:βIBM Automationβ}},{βProductβ:{βcodeβ:βSSFTBXβ,βlabelβ:βIBM Business Process Manager Expressβ},βBusiness Unitβ:{βcodeβ:βBU053β,βlabelβ:βCloud \u0026 Data Platformβ},βComponentβ:βSecurityβ,βPlatformβ:[{βcodeβ:βPF016β,βlabelβ:βLinuxβ},{βcodeβ:ββ,βlabelβ:βLinux zSeriesβ},{βcodeβ:βPF033β,βlabelβ:βWindowsβ}],βVersionβ:β8.0.1;8.0;7.5.1;7.5β,βEditionβ:ββ,βLine of Businessβ:{βcodeβ:βLOB45β,βlabelβ:βAutomationβ}},{βProductβ:{βcodeβ:βSSTLXKβ,βlabelβ:βIBM Integration Designerβ},βBusiness Unitβ:{βcodeβ:βBU059β,βlabelβ:βIBM Software w/o TPSβ},βComponentβ:βSecurityβ,βPlatformβ:[{βcodeβ:βPF033β,βlabelβ:βWindowsβ},{βcodeβ:βPF016β,βlabelβ:βLinuxβ}],βVersionβ:β8.0.1;8.0;7.5.1;7.5β,βEditionβ:ββ,βLine of Businessβ:{βcodeβ:βLOB45β,βlabelβ:βAutomationβ}},{βProductβ:{βcodeβ:βSS7NQDβ,βlabelβ:βIBM Business Monitorβ},βBusiness Unitβ:{βcodeβ:βBU059β,βlabelβ:βIBM Software w/o TPSβ},βComponentβ:βSecurityβ,βPlatformβ:[{βcodeβ:βPF002β,βlabelβ:βAIXβ},{βcodeβ:βPF010β,βlabelβ:βHP-UXβ},{βcodeβ:βPF016β,βlabelβ:βLinuxβ},{βcodeβ:ββ,βlabelβ:βLinux zSeriesβ},{βcodeβ:βPF027β,βlabelβ:βSolarisβ},{βcodeβ:βPF033β,βlabelβ:βWindowsβ}],βVersionβ:β8.0.1;8.0;7.5.1;7.5β,βEditionβ:ββ,βLine of Businessβ:{βcodeβ:βLOB45β,βlabelβ:βAutomationβ}}]
Product Synonym
BPM
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.573 Medium
EPSS
Percentile
97.7%