A fix is available
APAR status
Closed as program error.
Error description
Ostensibly secure connections with a sendmail server enabled for TLS (i.e. the binary originally shipped and installed on AIX systems as /usr/sbin/sendmail_ssl) are vulnerable as described in Common Vulnerabilities and Exposures report CVE-2009-4565, quoted below. This applies to sendmail versions below 8.14.4; the version and presence of TLS support can be checked with either the command /usr/sbin/sendmail -d0.10 < /dev/null and examination of the list of "Compiled with" modules produced for "STARTTLS". Whether the version running is the one enabled for TLS can also be checked by looking for a message "250 STARTTLS" in the output of a connection to the sendmail server established by either of the following two ways: 1) send "ehlo <your-domain-name>" followed by "quit" over a connection to the sendmail server host with: telnet <server-address> smtp 2) echo test | mail -v <username>@<server-address> CVE-2009-4565 notice: "sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which " (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and " (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority," ...
Local fix
The vulnerability does not apply if TLS is not being supported. Switching to sendmail_nonssl would prevent a false assumption of a secure connection.
Problem summary
Secure connections with a sendmail server enabled for TLS (i.e. the binary originally shipped and installed on AIX systems as /usr/sbin/sendmail_ssl) are vulnerable as described in Common Vulnerabilities and Exposures report CVE-2009-4565
Problem conclusion
Code is modified to handle correctly the '0' character in the Common Name (CN) field of an X.509 certificate
Temporary fix
Comments
5300-08 - use AIX APAR IZ72834 5300-09 - use AIX APAR IZ72835 5300-10 - use AIX APAR IZ72836 5300-11 - use AIX APAR IZ72837 5300-12 - use AIX APAR IZ72526 6100-01 - use AIX APAR IZ72528 6100-02 - use AIX APAR IZ72515 6100-03 - use AIX APAR IZ72510 6100-05 - use AIX APAR IZ72539 6100-04 - use AIX APAR IZ70637 6100-05 - use AIX APAR IZ72539 6100-06 - use AIX APAR IZ72602 7100-00 - use AIX APAR IZ89860
APAR Information
APAR number
IZ72510
Reported component name
AIX 610 STD EDI
Reported component ID
5765G6200
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Submitted date
2010-03-09
Closed date
2010-03-09
Last modified date
2013-03-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
AIX 610 STD EDI
Fixed component ID
5765G6200
Applicable component levels
R610 PSY U831176
UP10/04/22 I 1000
PTF to Fileset Mapping
U831176 bos.net.tcp.client 6.1.3.4
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSMV87","label":"AIX 6.1 Enterprise Edition"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"610","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSMVAX","label":"AIX Express Edition"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"610","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSAUMY","label":"IBM AIX Enterprise Edition"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"610","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG11Q","label":"AIX 6.1 HIPERS, APARs and Fixes"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"610","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
29 March 2013