Summary
There is an OpenSSL vulnerability that could allow an attacker to decrypt and modify traffic from a vulnerable client and server.
Impact
Successfully exploiting this issue may allow attackers to obtain sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks.
Solution
Upgrade all components to version 9.1.1117.
Insight
An OpenSSL advisory was announced on June 5, 2014 in several versions of OpenSSL. Several vulnerabilities were detailed in this advisory. One affects IBM Endpoint Manager 9.1 -- the ChangeCipherSpec (CCS) Injection Vulnerability. This vulnerability can be exploited by a Man-in-the-middle (MITM) attack allowing an attacker to eavesdrop and make falsifications between Root Server, Web Reports, Relay, and Proxy Agent communications. An eavesdropping attacker can obtain console login credentials.
Affected
IBM Endpoint Manager 9.1 (9.1.1065, 9.1.1082, and 9.1.1088) are the only affected versions. Previous versions are not affected
Detection
Check the version.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-0224 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- AdaptCMS 'init.php' Remote File Include Vulnerability
- Apache Struts2 showcase namespace XSS Vulnerability
- Allegro RomPager HTTP Referer Header Cross Site Scripting Vulnerability
- Adobe ColdFusion Unspecified Information Disclosure Vulnerability
- Apache ActiveMQ Source Code Information Disclosure Vulnerability