[BESAdmin-Announcements] IBM Endpoint Manager critical vulnerability patch release (9.1.1117)
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Mon Jun 30 14:09:16 PDT 2014
IBM Endpoint Manager 9.1.1117 (9.1 patch 3) is an emergency patch release
close a recently announced vulnerability (CVE-2014-0224) in the OpenSSL
used by IEM. This patch contains a new release of the OpenSSL library that
closes this vulnerability. IEM 9.1 customers should upgrade to this new
release in order to close the vulnerability. All IEM components have been
upgraded with OpenSSL-1.0.1h and are available for upgrade.
IEM 9.1 (9.1.1065, 9.1.1082, and 9.1.1088) is the only version affected.
Previous versions (8.1, 8.2, and 9.0) are not affected.
This vulnerability can be exploited by a Man-in-the-middle (MITM) attack
allowing an attacker to eavesdrop and make modifications between Root
Web Reports, Relay, and Proxy Agent communications. An eavesdropping
can obtain console login credentials. (Note that neither the site admin key
the server signing private key are exposed by this vulnerability, so it is
necessary to rotate keys after upgrade.)
For the official OpenSSL advisory, check:
This vulnerability is known as the ChangeCipherSpec (CCS) Injection
Vulnerability. For more details about it, check:
The IBM Security Bulletin for this patch is located here:
* Detailed changelist:
* Known issues: http://www-01.ibm.com/support/docview.wss?uid=swg21667537
* Upgrade fixlets are available in BES Support version 1176
* Manual upgrades are available at
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Besadmin-announcements