Author Topic: SECURITY BULLETIN: GSKit and CMOD v9.0, v9.5, v10.1  (Read 383 times)

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 1552
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
SECURITY BULLETIN: GSKit and CMOD v9.0, v9.5, v10.1
« on: April 27, 2018, 03:24:44 AM »
IBM Released a Security Bulletin covering IBM Global Security Kit ("GSKit") v8.0 and IBM CMOD:  http://www.ibm.com/support/docview.wss?uid=swg22014722

IBM CMOD v9.0 will not be patched, the resolution is to move to a newer version of CMOD.

IBM GSKit is used in a variety of IBM Products for cryptographic functions -- other tools may have similar vulnerabilities, including Tivoli Storage Manager (aka Spectrum Protect).  Check with your organizations Information Security group.

I've reached out to IBM on clarification on precisely how to patch this bug.

We'll likely send out an eMail blast after there are some more details.  Post your comments or questions so we can try to get some answers.

-JD.
« Last Edit: April 27, 2018, 06:17:40 AM by Justin Derrick »
#Install, #Educate, #Repair, #Upgrade, #Migrate, #Enhance, #Optimize.

IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SA #Performance #Security #Audits #Customizing #Availability #HA #DR #Training

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 1552
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: SECURITY BULLETIN: GSKit and CMOD v9.0, v9.5, v10.1
« Reply #1 on: April 27, 2018, 06:23:04 AM »
I've exchanged a few eMails with Greg, and it appears that the impact of this bug is relatively low for most CMOD customers. 

It doesn't affect CMOD user passwords or CMOD stash files, but only the password for keystore databases -- if you're using CMOD with SSL/TLS (for encryption of data on-the-wire) or the new IBM CMOD encryption (for encryption of data at rest) you'll want to update the password on your keystore database after applying the latest GSKit Fixpack.

The updated version of GSKit is v8.0.50.88, but it is not publicly available yet.  You must request it from support.  The only exception is IBM CMOD for Windows, where GSKit is bundled with the install package.

-JD.
« Last Edit: April 27, 2018, 06:44:51 AM by Justin Derrick »
#Install, #Educate, #Repair, #Upgrade, #Migrate, #Enhance, #Optimize.

IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SA #Performance #Security #Audits #Customizing #Availability #HA #DR #Training

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 780
    • View Profile
Re: SECURITY BULLETIN: GSKit and CMOD v9.0, v9.5, v10.1
« Reply #2 on: May 15, 2018, 06:47:43 AM »
Good news, from the 10.1.0.3 announcement:

> The GSKit has been updated to version 8.0.50.88

Ed

#zOS #ODF

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 1552
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: SECURITY BULLETIN: GSKit and CMOD v9.0, v9.5, v10.1
« Reply #3 on: May 15, 2018, 07:40:21 AM »
Yet it's not available for download via Fix Central.  Do you happen to know if there's a reason it's being held back?

-JD.
#Install, #Educate, #Repair, #Upgrade, #Migrate, #Enhance, #Optimize.

IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SA #Performance #Security #Audits #Customizing #Availability #HA #DR #Training