Vigil@nce - WebSphere AS: denial of service via Heartbeat
May 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send TLS Heartbeat messages to WebSphere AS, in
order to trigger a denial of service.
– Impacted products: Tivoli System Automation, WebSphere AS
– Severity: 2/4
– Creation date: 12/05/2014
DESCRIPTION OF THE VULNERABILITY
The Heartbeat extension of TLS (RFC 6520) provides a keep-alive
feature, without performing a renegotiation.
However, a malformed Heartbeat message stops WebSphere AS.
Technical details are unknown.
An attacker can therefore send TLS Heartbeat messages to WebSphere
AS, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/WebSphere-AS-denial-of-service-via-Heartbeat-14722