A bug has been found in the Secure Sockets Layer (SSL) 3.0 cryptography protocol (SSLv3) which can be exploited to intercept encrypted data sent between computers and servers in a “man in the middle” attack. Researchers at Google have detailed how this vulnerability can be exploited through what they call a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566).
This vulnerability is not a flaw in SSL certificates or their private keys, but rather in the SSLv3 protocol. Current SSL certificates need not be replaced.
To minimise the risk of a potential attack, it is recommended that SSL v3 be disabled for all communication over DataPower appliances.
This can be achieved by changing the configuration of your proxy profile(s). The following screenshots show the required changes on an XI52 DataPower appliance. Ensure that the changes are made for all crypto profiles used in your environment.
On October 1st IBM released a statement of direction outlining plans for a new appliance based on a modular architecture. The new appliance, named IBM DataPower Gateway, can be configured with B2B, Integration and ISAM modules, providing the functionality of the current XG45, XI52 and XB62 appliances in a single device. The new appliances will […]
The latest firmware for IBM DataPower appliances, v7.1 will deliver new standard features such as Kerberos S4U2Self functionality and an increased XML names maximum, but will also provide support for optional B2B, Integration and ISAM Proxy modules. Users with existing XG45, XI52 and XB62 appliances (see the list of supported devices below) will be able […]
IBM has released a statement of direction that outlines plans to deliver a renamed and enhanced IBM DataPower Gateway appliance. The new single appliance will utilise an extensible and modular architecture to offer the functionality that is provided by three existing products: WebSphere DataPower Service Gateway XG45, WebSphere DataPower Integration Appliance XI52 and WebSphere DataPower […]
IBM DataPower is not effected by the environment variable vulnerability known as “Shellshock”. IBM has published a Technote on the topic: DataPower does not use Bash anywhere. Hence it is not impacted by any of the Bash vulnerabilities. In particular, DataPower in all editions and all platforms is NOT vulnerable to the Bash vulnerabilities: CVE-2014-6271, […]
When sending large amounts of XML data in a message, it is often preferable to compress the XML and attach it as a base64 string, rather than adding the XML directly in the message. This can, however, create problems if the content of the compressed XML must be read during the transaction. By using the […]