-----BEGIN PGP SIGNED MESSAGE-----
IBM SECURITY ADVISORY
Wed Apr 17 13:05:19 CDT 2002
=========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Induced failure of IBM Tivoli Policy
Director WebSEAL component
PLATFORMS: All platforms running IBM Tivoli Policy Director
WebSEAL, version 3.8, initial release, and using
SSL smart junctions
SOLUTION: Apply the FixPaks, listed in this Advisory
THREAT: Malicious user can cause WebSEAL server failure
CERT Advisory: NONE
=========================================================================
DETAILED INFORMATION
I. Description
Background
A correspondent to SecurityFocus' BUGTRAQ in December 2001 (see
http://online.securityfocus.com/archive/1/245283) reported a possible
denial-of-service vulnerability in IBM Tivoli Policy Director
WebSEAL, v3.8.
Discussion
We have reviewed the purported problem and have concluded that there is
no denial of service vulnerability. IBM Tivoli Policy Director v3.8,
however contains a defect related to the use of SSL junctions between
the WebSEAL component and Web Servers. This defect can cause the WebSEAL
component to fail if SSL junctions are being used, and certain URLs
are then passed across these junctions.
This exposure was corrected as part of a regular fixpack cycle, in
Policy Director WebSEAL 3.8 Fixpack 1.
II. Impact
Customers using the original (Gold Master) release of IBM Tivoli Policy
WebSEAL Version 3.8, who also incorporate SSL junctions in their
deployment, may be subject to WebSEAL server failures.
III. Solutions
Workaround
There is no workaround.
Official fix
The solution to this security-related exposure is to apply Fixpack
1 for the IBM Tivoli Policy Director WebSEAL, v3.8.
IBM recommends that customers always stay current with fixpacks
for all software products. All registered customers have access to the
Tivoli Patches download site, and can access the IBM Tivoli Policy
Director WebSEAL 3.8 Fixpack 1 at:
https://www.tivoli.com/secure/support/patches/Tivoli_SecureWay_Policy_Director_WebSEAL_.html#3.8-PWS-0001
IV. Contact Information
Comments regarding the content of this announcement can be directed to:
security-alertat_private
To request the PGP public key that can be used to encrypt new
AIX security vulnerabilities, send email to:
security-alertat_private
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter,
send a note to aixservat_private with a subject of
"subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of "help".
IBM and AIX are a registered trademark of International Business Machines
Corporation. All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCVAwUBPL3CCwsPbaL1YgqvAQHZlwP/XQn1Q/GAfBaBHL2acrHLXFzWQ2tXoRvO
ugkbBJkEBBrkeAiHbM7i0u8uXA7gqn+6S0QmFU6y8sQ9VfldlTh7/C/0fxFNlJ9Y
Pb+njBRfala9417OUPXhBK4aUeRZxqWaFeGTPz+Jkx8CutTmHOE1vP6sioBM8ncr
ulXP+XiOJ5o=
=Iknk
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 18:21:13 PDT