IBM Tivoli Directory Server NULL Ciphers Let Remote Users Obtain Potentially Sensitive Information
|
|
SecurityTracker Alert ID: 1026939 |
|
SecurityTracker URL: http://securitytracker.com/id/1026939
|
|
CVE Reference:
CVE-2012-0726
(Links to External Site)
|
Date: Apr 18 2012
|
Impact:
Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 6.1, 6.2, 6.3
|
Description:
A vulnerability was reported in IBM Tivoli Directory Server. A remote user monitoring the network can obtain potentially sensitive information.
The default TLS configuration enables NULL-MD5 and NULL-SHA ciphers. If a TLS cipher negotiation fails to use a strong cipher, the connection may default to a NULL cipher. A remote user monitoring the network between the client and the directory server can obtain potentially sensitive information.
|
Impact:
A remote user monitoring the network can obtain potentially sensitive information.
|
Solution:
The vendor has issued a fix.
6.1: APAR IO16035: 6.1.0.47-ISS-ITDS-IF0047
6.2: APAR IO16036: 6.2.0.22-ISS-ITDS-IF0022
6.3: APAR IO15761: 6.3.0.11-ISS-ITDS-IF0011
The vendor's advisory is available at:
http://www-01.ibm.com/support/docview.wss?uid=swg21591272
|
Vendor URL: www-01.ibm.com/support/docview.wss?uid=swg21591272 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (2003), Windows (2008)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 18 Apr 2012 02:54:03 +0000
Subject: IBM Tivoli Directory Server
|
http://www-01.ibm.com/support/docview.wss?uid=swg21591272
CVE-2012-0726
|
|
