Thursday, April 17, 2014

(Not) affected by the heartbleed vulnerability

Let me start by quoting Wikipedia to define what the heartbleed vulnerability is about : "Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug "catastrophic". Forbes cybersecurity columnist Joseph Steinberg wrote, "Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."

Does it have any impact on our mainframe or IBM storage environments ?
Well, if you do a search on the Support site, you get more than a hundred hits on 'heartbleed'. I see that practically all indicate 'not affected by the OpenSSL heartbleed vulnerability'. Let me give some of them :
  • TS7650, TS7650G, TS7680
  • TS7700, TS7720, TS7740
  • TS3500, TS11x0, 3592-C07
  • XIV Gen2
  • CICS Transaction Server for VSE/ESA 1.1.1, CICS Transaction Server for z/OS 
  • DS8100, DS8300, DS8700, DS8800 and DS8870 prior to Release 7.2 
  • OpenSSH for z/OS
The only one I found so far that is affected is XIV Gen3.
"XIV management and CIMOM uses SSL to provide confidentiality and integrity of management communications. This vulnerability means that an attacker can potentially compromise management communication, gaining access to user credentials and thereby to unauthorized management access of an exposed system. Since storage management is usually on an internal and separate network, exposure to this vulnerability is limited to users with access to the management network.
The impact is limited to management communication only, as XIV does not use SSL encryption in the data path".

Affected products and versions are : "XIV Gen3 systems running microcode versions 11.4.1 or 11.4.1.a are vulnerable via management and CIMOM ports. Versions 11.3.0, 11.3.0.a and 11.3.1 are vulnerable only via the CIMOM port. XIV Gen3 systems running older microcode versions are not affected. XIV Gen2 systems are not affected".

You can find all additional information for XIV Gen3 over here.

No comments: