APAR status
Closed as program error.
Error description
When a DataPower service acts as an SSL server with server side session caching enabled it is possible for a malicious client to modify the ciphersuite associated with a saved session in that SSL server's session cache. The malicious client can only change the associated ciphersuite to a value that the SSL server would support on the initial handshake which limits the severity of this attack. The attacker cannot associate a weak cipher with the session if the server does not support weak ciphers in the initial handshake. By default the DataPower SSL server does not support weak ciphers in the initial handshake.
Local fix
Yes. Disabling Server-side Session Caching in a given SSL Proxy Profile object will avoid the problem for all subsequent SSL connections to services using that object.
Problem summary
Fix the ciphersuite downgrade attack.
Problem conclusion
The fix is available in 3.7.3.17, 3.8.0.11, 3.8.1.10 and 3.8.2.2.
Temporary fix
Comments
APAR Information
APAR number
IC74203
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
381
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-02-01
Closed date
2011-02-23
Last modified date
2011-02-28
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
R373 PSY
UP
R380 PSY
UP
R381 PSY
UP
R382 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.8.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 February 2022