[BESAdmin-Announcements] URGENT ACTION: Platform Critical Security Vulnerability in 9.0.777 -- 9.0.787 Patch 4 Available

[Announcements for BES Administrators]

A vulnerability was discovered today with LDAP and Active Directory
authentication that could allow an attacker to impersonate any
LDAP-authenticated Console user. This vulnerability only exists in the
9.0.777 (patch 2) release of the IBM Endpoint Manager Server (root server
component). This vulnerability does not affect Web Reports.

Administrators are advised to upgrade their IEM Server immediately to
9.0.787 (patch 4) in order to resolve the vulnerability. Upgrade fixlets
for 9.0.787 are currently available in the BES Support site (version 1125).
If it is not possible to upgrade, administrators should disable LDAP and
Active Directory authentication to close the vulnerability. 9.0.777 upgrade
fixlets have been removed from the BES Support site, and customers who
planned to upgrade to 9.0.777 should instead use 9.0.787, which contains
the needed fix.

We have extensive processes and safeguards in place to make sure that
vulnerabilities such as this are found before release, but obviously those
failed us in this instance. We will be conducting a thorough review of our
development and testing processes to ensure that nothing like this happens
again in the future.

Sincerely,
Endpoint Manager Platform Team


Published Site Versions:
BES Support v.1125

Additional Notes:
- Full IBM Endpoint Manager Platform 9.0 change list:
http://support.bigfix.com/bes/changes/fullchangelist-90.txt
- Manual upgrade instructions are available at:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/Upgrading

- Known issues are available at:
http://www-01.ibm.com/support/docview.wss?uid=swg21628247
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20131008/0d0e9dd8/attachment.html>