[BESAdmin-Announcements] IBM Endpoint Manager critical vulnerability patch release (9.1.1117)

[Announcements for BES Administrators]

IBM Endpoint Manager 9.1.1117 (9.1 patch 3) is an emergency patch release
to
close a recently announced vulnerability (CVE-2014-0224) in the OpenSSL
library
used by IEM. This patch contains a new release of the OpenSSL library that
closes this vulnerability. IEM 9.1 customers should upgrade to this new
patch
release in order to close the vulnerability. All IEM components have been
upgraded with OpenSSL-1.0.1h and are available for upgrade.

IEM 9.1 (9.1.1065, 9.1.1082, and 9.1.1088) is the only version affected.
Previous versions (8.1, 8.2, and 9.0) are not affected.

This vulnerability can be exploited by a Man-in-the-middle (MITM) attack
allowing an attacker to eavesdrop and make modifications between Root
Server,
Web Reports, Relay, and Proxy Agent communications. An eavesdropping
attacker
can obtain console login credentials. (Note that neither the site admin key
nor
the server signing private key are exposed by this vulnerability, so it is
not
necessary to rotate keys after upgrade.)

For the official OpenSSL advisory, check:

https://www.openssl.org/news/secadv_20140605.txt

This vulnerability is known as the ChangeCipherSpec (CCS) Injection
Vulnerability. For more details about it, check:

http://ccsinjection.lepidum.co.jp/

The IBM Security Bulletin for this patch is located here:

http://www-01.ibm.com/support/docview.wss?uid=swg21677842

* Detailed changelist:
http://support.bigfix.com/bes/changes/fullchangelist-91.txt
* Known issues: http://www-01.ibm.com/support/docview.wss?uid=swg21667537
* Upgrade fixlets are available in BES Support version 1176
* Manual upgrades are available at
http://support.bigfix.com/bes/install/downloadbes.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20140630/248613f8/attachment.html>