SECURITY BULLETIN: GSKit and CMOD v9.0, v9.5, v10.1

[Justin Derrick]

IBM Released a Security Bulletin covering IBM Global Security Kit ("GSKit") v8.0 and IBM CMOD:  http://www.ibm.com/support/docview.wss?uid=swg22014722

IBM CMOD v9.0 will not be patched, the resolution is to move to a newer version of CMOD.

IBM GSKit is used in a variety of IBM Products for cryptographic functions -- other tools may have similar vulnerabilities, including Tivoli Storage Manager (aka Spectrum Protect).  Check with your organizations Information Security group.

I've reached out to IBM on clarification on precisely how to patch this bug.

We'll likely send out an eMail blast after there are some more details.  Post your comments or questions so we can try to get some answers.

-JD.

[Justin Derrick]

I've exchanged a few eMails with Greg, and it appears that the impact of this bug is relatively low for most CMOD customers. 

It doesn't affect CMOD user passwords or CMOD stash files, but only the password for keystore databases -- if you're using CMOD with SSL/TLS (for encryption of data on-the-wire) or the new IBM CMOD encryption (for encryption of data at rest) you'll want to update the password on your keystore database after applying the latest GSKit Fixpack.

The updated version of GSKit is v8.0.50.88, but it is not publicly available yet.  You must request it from support.  The only exception is IBM CMOD for Windows, where GSKit is bundled with the install package.

-JD.

[Ed_Arnold]

Good news, from the 10.1.0.3 announcement:

> – The GSKit has been updated to version 8.0.50.88

Ed

[Justin Derrick]

Yet it's not available for download via Fix Central.  Do you happen to know if there's a reason it's being held back?

-JD.