CVE-2015-7412

Name of the Vulnerable Software and Affected Versions IBM DataPower Gateways versions 7.2.0.x before 7.2.0.1

Description The issue allows remote attackers to obtain plaintext data via a padding-oracle attack when the GatewayScript decryption API or a JWE decrypt action is enabled, as the GatewayScript modules do not require signed ciphertext data.

Recommendations For versions 7.2.0.x before 7.2.0.1, update to version 7.2.0.1 or later to resolve the issue. As a temporary workaround, consider disabling the GatewayScript decryption API or JWE decrypt action until a patch is available. Restrict access to sensitive data to minimize the risk of exploitation.