<html><body>
<p><font size="2" face="sans-serif">There is an OpenSSL vulnerability that could allow an attacker to compromise</font><br>
<font size="2" face="sans-serif">the IBM Endpoint Manager root server signing key. Both Windows and Linux</font><br>
<font size="2" face="sans-serif">server deployments are affected. Note that the site admin key cannot be</font><br>
<font size="2" face="sans-serif">compromised using this vulnerability.</font><br>
<br>
<font size="2" face="sans-serif">IMMEDIATE ACTIONS:</font><br>
<br>
<font size="2" face="sans-serif">* If you are using Endpoint Manager 9.0 or earlier, you are unaffected. You</font><br>
<font size="2" face="sans-serif"> should delay upgrading to 9.1 until a patch is released. We have removed the </font><br>
<font size="2" face="sans-serif"> 9.1 upgrade fixlets from BES Support.</font><br>
<br>
<font size="2" face="sans-serif">* If you are using Endpoint Manager 9.1, you can mitigate your exposure to</font><br>
<font size="2" face="sans-serif"> this vulnerability by taking the following steps until a 9.1 patch is</font><br>
<font size="2" face="sans-serif"> released:</font><br>
<br>
<font size="2" face="sans-serif"> 1) Limit network access to the root server to only trusted hosts.</font><br>
<font size="2" face="sans-serif"> 2) Rotate the server signing key on the root server on a regular basis [a].</font><br>
<font size="2" face="sans-serif"> 3) If any custom HTTPS keys are being used in the root server or web</font><br>
<font size="2" face="sans-serif"> reports, those keys should also be rotated.</font><br>
<font size="2" face="sans-serif"> 4) Avoid sending any sensitive data via mailboxes or secure parameters to</font><br>
<font size="2" face="sans-serif"> relays or the root server.</font><br>
<font size="2" face="sans-serif"> 5) Consider temporarily disconnecting any internet-facing relays.</font><br>
<br>
<font size="2" face="sans-serif">[a] </font><a href="http://www-01.ibm.com/support/docview.wss?uid=swg21669587"><font size="2" face="sans-serif">http://www-01.ibm.com/support/docview.wss?uid=swg21669587</font></a><br>
<br>
<font size="2" face="sans-serif">BACKGROUND:</font><br>
<br>
<font size="2" face="sans-serif">An OpenSSL vulnerability was announced today in versions 1.0.1 and 1.0.2 of</font><br>
<font size="2" face="sans-serif">OpenSSL. This vulnerability is officially named "TLS heartbeat read overrun</font><br>
<font size="2" face="sans-serif">(CVE-2014-0160)" and has come to be colloquially named "The Heartbleed Bug".</font><br>
<br>
<font size="2" face="sans-serif">Official advisory : </font><a href="http://www.openssl.org/news/secadv_20140407.txt"><font size="2" face="sans-serif">http://www.openssl.org/news/secadv_20140407.txt</font></a><font size="2" face="sans-serif"> </font><br>
<font size="2" face="sans-serif">More details : </font><a href="http://heartbleed.com/"><font size="2" face="sans-serif">http://heartbleed.com</font></a><br>
<br>
<font size="2" face="sans-serif">Any software that uses an affected version of OpenSSL and is a TLS server is</font><br>
<font size="2" face="sans-serif">vulnerable.</font><br>
<br>
<font size="2" face="sans-serif">This vulnerability affects IBM Endpoint Manager version 9.1. Other versions of</font><br>
<font size="2" face="sans-serif">Endpoint Manager (9.0.* and earlier) are not affected by this vulnerability</font><br>
<font size="2" face="sans-serif">because they use an earlier version of OpenSSL.</font><br>
<br>
<font size="2" face="sans-serif">IMPACT:</font><br>
<br>
<font size="2" face="sans-serif">This vulnerability impacts IBM Endpoint Manager in several ways. An attacker</font><br>
<font size="2" face="sans-serif">that can send network requests to the root server can read the root server's</font><br>
<font size="2" face="sans-serif">memory and obtain the server signing private key. This key could be used, as</font><br>
<font size="2" face="sans-serif">part of a man-in-the-middle attack, to impersonate the root server and obtain</font><br>
<font size="2" face="sans-serif">console login credentials. It can also be used to forge actions that agents</font><br>
<font size="2" face="sans-serif">will accept as authentic.</font><br>
<br>
<font size="2" face="sans-serif">An attacker that can send network requests to a 9.1 relay can read the relay's</font><br>
<font size="2" face="sans-serif">memory and obtain the private key of the agent on the relay machine. This key</font><br>
<font size="2" face="sans-serif">can be used to read the contents of mailboxes and secure parameters sent to</font><br>
<font size="2" face="sans-serif">the target agent. It can also be used to impersonate reports from the agent</font><br>
<font size="2" face="sans-serif">that the server will accept as genuine.</font><br>
<br>
<font size="2" face="sans-serif">If you are using any custom SSL certificates for a 9.1 root server or web</font><br>
<font size="2" face="sans-serif">reports server, the private keys for those certificates could be compromised.</font><br>
<font size="2" face="sans-serif">If you are using these keys on any other systems, you should rotate them</font><br>
<font size="2" face="sans-serif">immediately.</font><br>
<br>
<font size="2" face="sans-serif">REMEDIATION:</font><br>
<br>
<font size="2" face="sans-serif">The IBM Endpoint Manager team is working on a patch release that will fix this</font><br>
<font size="2" face="sans-serif">vulnerability. We will make this patch available as soon as possible, and we</font><br>
<font size="2" face="sans-serif">recommend that you make plans to upgrade from 9.1 to the patch release as soon</font><br>
<font size="2" face="sans-serif">as it is available.</font><br>
<br>
</body></html>