The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of IBM GSKit: infinite loop of SSL

Synthesis of the vulnerability 

An attacker can send malicious SSL/TLS messages to applications using IBM GSKit, in order to trigger a denial of service.
Impacted products: DB2 UDB, Domino by IBM, I-Connect, Informix Server, Notes by IBM, Security Directory Server, SPSS Modeler, Tivoli Storage Manager, Tivoli Workload Scheduler.
Severity of this bulletin: 3/4.
Creation date: 20/05/2014.
Références of this threat: 1610582, 1671732, 1672724, 1673008, 1673018, 1673666, 1673696, 1674047, 1674824, 1674825, 1681114, 7042179, CVE-2014-0963, VIGILANCE-VUL-14775.

Description of the vulnerability 

The IBM Global Security Kit (GSKit) suite implements the support of SSL/TLS for several IBM applications.

However, some SSL messages generate an infinite loop in GSKit.

An attacker can therefore send malicious SSL/TLS messages to applications using IBM GSKit, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability alert impacts software or systems such as DB2 UDB, Domino by IBM, I-Connect, Informix Server, Notes by IBM, Security Directory Server, SPSS Modeler, Tivoli Storage Manager, Tivoli Workload Scheduler.

Our Vigil@nce team determined that the severity of this computer threat alert is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this security vulnerability.

Solutions for this threat 

IBM DB2: APAR for GSKit.
An APAR is available:
  V9.5: IC98853
  V9.7 FP9a: IC99474 http://www.ibm.com/support/docview.wss?uid=swg24036646
  V9.8: IC99476
  V10.1 FP3a: IC99475 http://www.ibm.com/support/docview.wss?uid=swg24035759
  V10.1 FP4: IC99475 http://www.ibm.com/support/docview.wss?uid=swg24037466
  V10.5 FP3a: IC99477 http://www.ibm.com/support/docview.wss?uid=swg24036705

IBM DB2: version 10.1 Fix Pack 4.
The version 10.1 Fix Pack 4 is fixed.

IBM Informix Client SDK: solution for GSKit.
The solution is indicated in information sources.

IBM Informix Server: solution for GSKit.
The solution is indicated in information sources.

IBM Lotus Notes, Domino: patch for Java.
A patch is available:
  http://www-01.ibm.com/support/docview.wss?uid=swg24037141

IBM Security Directory Server: patch for GSKit.
A patch is available:
  ISDS 6.1.0: 6.1.0.61-ISS-ITDS
  ISDS 6.2.0: 6.2.0.36-ISS-ITDS
  ISDS 6.3.0: 6.3.0.30-ISS-ITDS
  ISDS 6.3.1: 6.3.1.2-ISS-ISDS

IBM SPSS Modeler: patch for GSKit.
A patch is available:
  SPSS Modeler 16.0 Interim Fix 13
  http://www.ibm.com/support/docview.wss?uid=swg24037537

IBM SPSS Modeler: version 16.0 FP1.
The version 16.0 FP1 is fixed.

IBM Tivoli Storage Manager: fixed versions for GSKit.
Fixed versions are indicated in information sources.

IBM Tivoli Workload Scheduler: patch for GSKit.
A patch is available:
  8.5.1-TIV-TWS-FP0005-IV60577
  8.6.0-TIV-TWS-FP0003-IV60577
  9.1.0-TIV-TWS-FP0001-IV60577
  9.2.0-TIV-TWS-FP0000-IV60577
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability alert. The Vigil@nce vulnerability database contains several thousand vulnerabilities.