-----BEGIN PGP SIGNED MESSAGE----- IBM SECURITY ADVISORY Wed Apr 17 13:05:19 CDT 2002 ========================================================================= VULNERABILITY SUMMARY VULNERABILITY: Induced failure of IBM Tivoli Policy Director WebSEAL component PLATFORMS: All platforms running IBM Tivoli Policy Director WebSEAL, version 3.8, initial release, and using SSL smart junctions SOLUTION: Apply the FixPaks, listed in this Advisory THREAT: Malicious user can cause WebSEAL server failure CERT Advisory: NONE ========================================================================= DETAILED INFORMATION I. Description Background A correspondent to SecurityFocus' BUGTRAQ in December 2001 (see http://online.securityfocus.com/archive/1/245283) reported a possible denial-of-service vulnerability in IBM Tivoli Policy Director WebSEAL, v3.8. Discussion We have reviewed the purported problem and have concluded that there is no denial of service vulnerability. IBM Tivoli Policy Director v3.8, however contains a defect related to the use of SSL junctions between the WebSEAL component and Web Servers. This defect can cause the WebSEAL component to fail if SSL junctions are being used, and certain URLs are then passed across these junctions. This exposure was corrected as part of a regular fixpack cycle, in Policy Director WebSEAL 3.8 Fixpack 1. II. Impact Customers using the original (Gold Master) release of IBM Tivoli Policy WebSEAL Version 3.8, who also incorporate SSL junctions in their deployment, may be subject to WebSEAL server failures. III. Solutions Workaround There is no workaround. Official fix The solution to this security-related exposure is to apply Fixpack 1 for the IBM Tivoli Policy Director WebSEAL, v3.8. IBM recommends that customers always stay current with fixpacks for all software products. All registered customers have access to the Tivoli Patches download site, and can access the IBM Tivoli Policy Director WebSEAL 3.8 Fixpack 1 at: https://www.tivoli.com/secure/support/patches/Tivoli_SecureWay_Policy_Director_WebSEAL_.html#3.8-PWS-0001 IV. Contact Information Comments regarding the content of this announcement can be directed to: security-alertat_private To request the PGP public key that can be used to encrypt new AIX security vulnerabilities, send email to: security-alertat_private with a subject of "get key". If you would like to subscribe to the AIX security newsletter, send a note to aixservat_private with a subject of "subscribe Security". To cancel your subscription, use a subject of "unsubscribe Security". To see a list of other available subscriptions, use a subject of "help". IBM and AIX are a registered trademark of International Business Machines Corporation. All other trademarks are property of their respective holders. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBPL3CCwsPbaL1YgqvAQHZlwP/XQn1Q/GAfBaBHL2acrHLXFzWQ2tXoRvO ugkbBJkEBBrkeAiHbM7i0u8uXA7gqn+6S0QmFU6y8sQ9VfldlTh7/C/0fxFNlJ9Y Pb+njBRfala9417OUPXhBK4aUeRZxqWaFeGTPz+Jkx8CutTmHOE1vP6sioBM8ncr ulXP+XiOJ5o= =Iknk -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 18:21:13 PDT