-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Wed Jan 13 09:17:27 CST 2010 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/ssl_advisory.asc or ftp://aix.software.ibm.com/aix/efixes/security/ssl_advisory.asc VULNERABILITY SUMMARY VULNERABILITY: AIX OpenSSL session renegotiation vulnerability PLATFORMS: AIX 5.3, 6.1, and earlier releases SOLUTION: Apply the fix as described below. THREAT: See below CERT VU Number: 120541 CVE Numbers: CVE-2009-3555 DETAILED INFORMATION I. DESCRIPTION (from US-CERT) "A vulnerability in the way SSL and TLS protocols allow renegotiation requests may allow an attacker to inject plaintext into an application protocol stream. This could result in a situation where the attacker may be able to issue commands to the server that appear to be coming from a legitimate source." "A remote, unauthenticated attacker may be able to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream. This could allow and attacker to issue HTTP requests, or take action impersonating the user, among other consequences." Please see the following for more information: http://www.kb.cert.org/vuls/id/120541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 Please note that this fix will will disable all session renegotiation. II. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L openssl.base The following fileset levels are vulnerable: AIX 6.1 and 5.3: all versions less than 0.9.8.1102 AIX 6.1 and 5.3: FIPS capable versions less than 12.9.8.1102 AIX 5.2: all versions less than 0.9.8.805 IMPORTANT: If AIX OpenSSH is in use, it must be updated to version 5.0 or later when updating OpenSSL. AIX OpenSSH can be downloaded from: http://sourceforge.net/projects/openssh-aix III. FIXES A fix is available, and it can be downloaded from: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp To extract the fixes from the tar file: zcat openssl.0.9.8.1102.tar.Z | tar xvf - or zcat openssl-fips.12.9.8.1102.tar.Z | tar xvf - or zcat openssl.0.9.8.805.tar.Z | tar xvf - IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview the fix installation: installp -apYd . openssl To install the fix package: installp -aXYd . openssl IV. WORKAROUNDS There are no workarounds. V. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www.ibm.com/systems/support and click on the "My notifications" link. To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt C. Download the key from a PGP Public Key Server. The key ID is: 0xF3807ECD Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. VI. ACKNOWLEDGEMENTS This vulnerability was reported by Marsh Ray of PhoneFactor. This vulnerability was also independently discovered and publicly disclosed by Martin Rex of SAP. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFLTezixvGNyvOAfs0RAr72AJ9z1cZGv+BBJjgdxrzz7sGZoiAgZgCdEpsf 891cIOLWqczrE+mMZ3QexBc= =P0mk -----END PGP SIGNATURE-----