Security Bulletin: Vulnerability in SSLv3 affects IBM i (CVE-2014-3566)

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM i.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Releases V4R1, V4R2, V4R3, V4R4, V5R1, V5R2, V5R3, V5R4, 6.1, 7.1 and 7.2 of IBM i are affected.

Remediation/Fixes

The issue can be fixed by applying PTF’s to IBM i and following the remediation plan below.
Note: Please read this entire section for the list PTF numbers for IBM i:
Note: 07/22/15 There has been an update this document to include PTF’s to disable SSLv3 from the default list

Releases 6.1, 7.1 and 7.2 of IBM i are supported and will be fixed. Releases V4R1, V4R2, V4R3, V4R4, V5R1, V5R2, V5R3 and V5R4 are unsupported and will not be fixed.

The IBM i PTF numbers are:

IBM i OS and options:

Release 6.1 –MF59350, MF59361, SI55239, SI55387, SI57357, MF60331Release 6.1.1**–** MF59349, MF59362, SI55239, SI55387, SI57357, MF60338

Release 7.1 – SI55204, SI55389, SI57332, MF60335
**Release 7.2 –**SI55392, SI57320, MF60333, MF60334

IBM i V5R4 options:

**R540 –**MF59387
**R545 –**MF59378

To change the System SSL settings with the Start System Service Tools (STRSST) command, follow these steps:
1. Open a character-based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h
This will show the help screen that describes the input strings. To disable SSLv3 enter -disableSSLv3

IBM i Java:

Java for IBM i: 5760-JV1 & 5770-JV1
In order to mitigate this vulnerability, the SSL V3.0 protocol must not be enabled. The IBM SDK has been updated to disable SSL V3.0 automatically. These fixes implement a significant change in default behavior that will cause failures in any applications that rely exclusively on SSL V3.0.

For details on Java for IBM i, see the details on the Java for IBM i page on developerWorks:
http://www.ibm.com/developerworks/ibmi/techupdates/java

For the general Java considerations and details, please see this documentation:
http://www-01.ibm.com/support/docview.wss?uid=swg21688165

The IBM i Group PTF numbers for Java are:
Release 6.1 – SF99562 level 30 Release 7.1 – SF99572 level 19 Release 7.2 – SF99716 level 4

IBM HTTP server for i:

5770DG1

Release 7.1 – SI55156

On IBM i 7.1, HTTP Server PTF SI55156has been created and approved. SSLProtocolDisable and SSLProxyProtocolDisable directives are now supported on i 7.1.

Please refer to the following technote for detailed information: http://www-01.ibm.com/support/docview.wss?uid=nas8N1020384

Lotus Products:

Domino:
Please refer to the following technote for detailed information: http://www-01.ibm.com/support/docview.wss?uid=swg21687167

Traveler:
Please refer to the following technote for detailed information: http://www-01.ibm.com/support/docview.wss?uid=swg21688179

Sametime:
Please refer to the following security bulletin for detailed information: http://www-01.ibm.com/support/docview.wss?uid=swg21687845

IBM i Access Client Solutions** – 5733XJ1** IBM i Access for Windows** – 5770XE1**

IBM i Access Client Solutions 5733XJ1
 Fixes are provided by client side Service Packs via ESS
 The base Java package is not vulnerable.
 The “Windows Application Package” can be mitigated via command-line. See step 4 below.
 The “Linux Application Package” does not support SSL and therefore is not impacted.

IBM i Access for Windows 5770XE1
 SI53809 will provide mitigation for the 5250 emulator.
 Follow step 4 below using the command-line to mitigate the the non-emulator parts of the product.

System i Navigator is enabled for TLS 1.0, but will still allow fallback to SSLv3.
Note: It should be noted that these are client based products that run on the PC. As such, if the appropriate updates & changes are followed on the server to disable SSLv3, any portion of the client product which supports falling back to SSLv3 will be disabled by the server side change.

For 5770XE1 7.1 IBM i Access for Windows, apply SI53809 and follow the steps below to setGSK_PROTOCOL_SSLV3=OFF

For 5733XJ1 IBM i Access Client Solutions - Windows Application Package, no additional Service Pack required. Follow the steps below to set GSK_PROTOCOL_SSLV3=OFF

Description:
set GSK_PROTOCOL_SSLV3=OFF
Steps:
Start -> Run … -> C:\Windows\System32\systempropertiesadvanced.exe [enter]
Advanced tab -> Environment Variables…
Under “System variables” click to New…
Variable name: GSK_PROTOCOL_SSLV3
Variable value: OFF
OK -> OK -> OK
Log out and log back in for the setting to take effect.

Remediation for IBM i:

There are at least four different SSL implementations used on IBM i.

- IBM i System SSL
- OpenSSL in PASE
- IBMJSSE2 – The default Java JSSE implementation
- Domino – contains an embedded SSL implementation. Also uses System SSL in some configurations.
- Other – Any 3rd party application could include an internal SSL implementation

IBM i System SSL

IBM i System SSL is a set of generic services provided in the IBM i Licensed Internal Code (LIC) to protect TCP/IP communications using the SSL/TLS protocol.

System SSL is accessible to application developers from the following programming interfaces and JSSE implementation:

 Global Security Kit (GSKit) APIs

 Integrated IBM i SSL_ APIs
 Integrated IBM i JSSE implementation (IBMi5OSJSSEProvider)

SSL applications created by IBM, IBM business partners, independent software vendors (ISV), or customers that use one of the three System SSL interfaces listed above will use System SSL. For example, FTP and Telnet are IBM applications that use System SSL. Not all SSL enabled applications running on IBM i use System SSL.

The application developer determines which SSL/TLS protocol versions are supported by the application when it is designed.

 Some applications expose the protocol configuration to the end user. For those applications SSLv3 can be disabled through that application specific configuration.
 Many applications do not provide a configuration option for controlling the protocol. It is difficult to determine if these applications support SSLv3.
 Many applications use the System SSL default protocols such as FTP and Telnet.

After loading the System SSL fixes listed in this bulletin, applications coded to use the default values will no longer negotiate the use of RC4 cipher suites with peers.
If RC4 support is required by peers of such an application after this PTF is applied, the values can be added back to the System SSL eligible default cipher suite list using System Service Tools (SST) Advanced Analysis Command SSLCONFIG. To change the System SSL settings with the Start System Service Tools (STRSST)
command, follow these steps:

1. Open a character based interface.
2. On the command line, type STRSST.
3. Type your service tools user name and password.
4. Select option 1 (Start a service tool).
5. Select option 4 (Display/Alter/Dump).
6. Select option 1 (Display/Alter storage).
7. Select option 2 (Licensed Internal Code (LIC) data).
8. Select option 14 (Advanced analysis).
9. Select option 1 (SSLCONFIG).
10. Enter -h

This will show the help screen that describes the input strings to change the new System SSL setting for –eligibleDefaultCipherSuites.

System SSL’s support of SSLv3 can be completely disabled at the system level using the system value QSSLPCL. In this case, SSLv3 is disabled for all applications including those with user configuration available for protocols.

How to determine the SSL protocol and cipher suite used for each System SSL connection to the IBM i:
<http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594&gt;

How to change the QSSLPCL system value:

From a 5250 command line:

WRKSYSVAL SYSVAL(QSSLPCL)

 Enter 5 to display QSSLPCL: This will display one of two things:

 *OPSYS: Which indicates the default protocols for the OS release are supported.
 A manually defined list of the SSL protocols currently supported by the system
 Enter 2 to edit QSSLPCL: *OPSYS is the default value. To add or remove an SSL protocol, the *OPSYS value must be removed and replaced with a complete list of all the SSL protocols you want to support. The protocols available vary by release.

**Note:**If an error is reported when attempting to modify the protocol list indicating that the QSSLCSL system value must be updated first, it means that one or more cipher specifications are present that can not be supported by new value for QSSLPCL. They either need to be removed manually or QSSLCSLCTL set to *OPSYS, so the system can remove them for you. After QSSLPCL is changed you can set QSSLCSLCTL back to *USRDFN and then change QSSLCSL as needed for your security policies.

Short cut commands to disable SSLv3 equivalent to the above steps:
**CHGSYSVAL SYSVAL(QSSLCSLCTL) VALUE(OPSYS)
CHGSYSVAL SYSVAL(QSSLPCL) VALUE('TLSV1’)

QSSLPCL Considerations by release:

R720

QSSLPCL value of *OPSYS means *TLSV1.2 *TLSV1.1 *TLSV1. *SSLV3 is disabled for System SSL by default.

R710

QSSLPCL value of *OPSYS means *TLSV1 *SSLV3. *SSLV3 is enabled for System SSL by default.

If 7.1 TR6 or later is installed there are two additional protocol versions available to optionally add in addition to *TLSV1, they are *TLSV1.2 *TLSV1.1.

_R611 / R610 _

QSSLPCL value of *OPSYS means *TLSV1 *SSLV3. *SSLV3 is enabled for System SSL by default.

The only protocol available other than *SSLV3 is *TLSV1.

Application configuration through Digital Certificate Manager (DCM)

7.1 TR6 and 7.2 have DCM options for controlling the protocol used for specific applications such as Telnet and FTP. Applications with a DCM application definition can use the DCM Update Application Definition panel to configure which protocols are supported by the application. If the DCM value includes a protocol disabled by QSSLPCL, that protocol value will silently be discarded by System SSL.

For HTTP Apache, the protocol version cannot be controlled by the DCM application ID. HTTP Apache is limited to what QSSLPCL allows. Refer to the HTTP Apache instructions for additional configuration options.

Potential Issues

Some customers find that one or more peer systems they communicate with only support or otherwise require SSLv3. Connections with those peer systems will no longer work after disabling SSLv3. For business critical connections that must continue to happen, SSLv3 will have to remain enabled until that peer can upgrade to support TLSv1.0. In those cases the administrator can disable SSLv3 on an application by application basis where protocol configuration exists.

How to determine in advance if SSLv3 is being negotiated by System SSL

The System Service Tools advanced analysis SSLCONFIG command can be used to turn on System SSL protocol version counters. The counters will indicate if SSLv3 is actively being negotiated by System SSL. This information does not provide guidance as to which application(s) is the one using SSLv3.

To use the SSL configuration IBM-supplied macro support, follow these steps:

1. Access System Service Tools by using SST by typing STRSST.

2. Take an opt. 1 - Start a service tool.
3. Take an opt. 4 - Display/Alter/Dump.
4. Take an opt. 1 - Display/Alter storage.
5. Take an opt. 2 - Licensed Internal Code (LIC) data.
6. Take an opt. 14 - Advanced analysis. (You must page down to see this option.)
7. Page down until you find the SSLCONFIG option. Then, place a 1 (Select) next to the option and press Enter. You are now on the Specify Advanced Analysis Options window. The command shows as SSLCONFIG.
8. Enter ‘-h’ without the quotation marks and press Enter to display the available options.
9. To start tracking the connections issue the following option:

-sslConnectionCounts:enable
10. The system will now count which protocol is used for active connections. We can use the following option to display the results:

-sslConnectionCounts:display
11. To disable the counting issue the following option:

-sslConnectionCounts:disable
12. To reset the count issue the following option:

-sslConnectionCounts:reset

IBMJSSE2

This is the default JSSE implementation used in all supported JDK versions.

See the IBM SDK documentation:

http://www-01.ibm.com/support/docview.wss?uid=swg21688165

Note: The System SSL based JSSE implantation IBMi5OSJSSEProvider does not provide or support the SSLv3 mitigations described for IBM SDK. Use QSSLPCL and/or Application ID configuration if using IBMi5OSJSSEProvider. However, you can use the TLSv1 Protocol Label directly in the Java code to not use SSLv3.

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.