IBM Security Advisory: IBM Tivoli Policy Director WebSEAL

["Michael S Soukup" <soukup () us ibm com>]

-----BEGIN PGP SIGNED MESSAGE-----

IBM SECURITY ADVISORY

Wed Apr 17 13:05:19 CDT 2002
=========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:    Induced failure of IBM Tivoli Policy
                  Director WebSEAL component

PLATFORMS:        All platforms running IBM Tivoli Policy Director
                  WebSEAL, version 3.8, initial release, and using
                  SSL smart junctions

SOLUTION:         Apply the FixPaks, listed in this Advisory

THREAT:           Malicious user can cause WebSEAL server failure

CERT Advisory:    NONE

=========================================================================
                           DETAILED INFORMATION

I.  Description

    Background

A correspondent to SecurityFocus' BUGTRAQ in December 2001 (see
http://online.securityfocus.com/archive/1/245283) reported a possible
denial-of-service vulnerability in IBM Tivoli Policy Director
WebSEAL, v3.8.

    Discussion

We have reviewed the purported problem and have concluded that there is
no denial of service vulnerability. IBM Tivoli Policy Director v3.8,
however contains a defect related to the use of SSL junctions between
the WebSEAL component and Web Servers. This defect can cause the WebSEAL
component to fail if SSL junctions are being used, and certain URLs
are then passed across these junctions.

This exposure was corrected as part of a regular fixpack cycle, in
Policy Director WebSEAL 3.8 Fixpack 1.


II. Impact

Customers using the original (Gold Master) release of IBM Tivoli Policy
WebSEAL Version 3.8, who also incorporate SSL junctions in their
deployment, may be subject to WebSEAL server failures.

III.  Solutions


      Workaround

There is no workaround.


      Official fix

The solution to this security-related exposure is to apply Fixpack
1 for the IBM Tivoli Policy Director WebSEAL, v3.8.

IBM recommends that customers always stay current with fixpacks
for all software products.  All registered customers have access to the
Tivoli Patches download site, and can access the IBM Tivoli Policy
Director WebSEAL 3.8 Fixpack 1 at:

https://www.tivoli.com/secure/support/patches/Tivoli_SecureWay_Policy_Director_WebSEAL_.html#3.8-PWS-0001



IV.  Contact Information

Comments regarding the content of this announcement can be directed to:

   security-alert () austin ibm com

To request the PGP public key that can be used to encrypt new
AIX security vulnerabilities, send email to:

security-alert () austin ibm com

with a subject of "get key".


If you would like to subscribe to the AIX security newsletter,
send a note to aixserv () austin ibm com with a subject of
"subscribe Security".

To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of "help".

IBM and AIX are a registered trademark of International Business Machines
Corporation.  All other trademarks are property of their
respective holders.


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBPL3CCwsPbaL1YgqvAQHZlwP/XQn1Q/GAfBaBHL2acrHLXFzWQ2tXoRvO
ugkbBJkEBBrkeAiHbM7i0u8uXA7gqn+6S0QmFU6y8sQ9VfldlTh7/C/0fxFNlJ9Y
Pb+njBRfala9417OUPXhBK4aUeRZxqWaFeGTPz+Jkx8CutTmHOE1vP6sioBM8ncr
ulXP+XiOJ5o=
=Iknk
-----END PGP SIGNATURE-----