[BESAdmin-Announcements] IBM Endpoint Manager critical vulnerability patch release (9.1, 9.0, 8.2, 8.1)

[Announcements for BES Administrators]

The IBM Endpoint Manager team has updated multiple versions of the Endpoint
Manager product to address a critical vulnerability.  This vulnerability
could allow an attacker to access files on an affected server or cause an
affected server to make an arbitrary HTTP GET request.

Here are the new patched versions of Endpoint Manager and the components
of those versions that have changed:

9.1.1088.0  -- Root Server, Web Reports, and Server API
9.0.853.0   -- Root Server, Web Reports, and Server API
8.2.1445.0  -- Web Reports and Server API
8.1.653.0   -- Web Reports and Server API

Agents and relays are not exposed to this vulnerability and do not need to
be patched.

After upgrading the server components, the following steps should be
performed
to revoke any credentials that could have been compromised:

On IEM 9.0 and 9.1:

 1) Rotate the server signing key:
    http://www-01.ibm.com/support/docview.wss?uid=swg21669587
 2) Rotate custom SSL certificates in Web Reports or the Root Server, if
you are
    using them (note: this is not common).
 3) On Linux deployments, change any database or network proxy passwords
that
    are in the Root Server or Web Reports settings

On IEM 8.1 and 8.2:

 1) Rotate custom SSL certificates in Web Reports, if you are using them
    (note: this is not common).


For more information about addressing problems with files that may have
been
compromised, please contact support for information and recommendations.


* Detailed changelist:
http://support.bigfix.com/bes/changes/fullchangelist-91.txt
* Known issues: http://www-01.ibm.com/support/docview.wss?uid=swg21667537
* Upgrade fixlets are available in BES Support version 1168
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20140520/455f764a/attachment.html>