3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
A new variant of the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack for TLS may affect IBM Tivoli Monitoring (ITM).
CVEID: CVE-2014-8730 **
DESCRIPTION:** Product could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99216>_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
The following components of IBM Tivoli Monitoring (ITM) are affected by the TLS vulnerability:
**
**
**
**
The following patches are provided to address the issue with TLS in common code that is shared across ITM components. The following patches should be installed on each portal server, distributed management server (hub and remote), and ITM distributed agent systems (unless the Service Console is disabled, see below):
* 6.30: Install 6.3.0-TIV-ITM-FP0004-IV68044
* 6.23: Install 6.2.3-TIV-ITM-FP0005-IV68044
* 6.22: Install 6.2.2-TIV-ITM-FP0009-IV68044 (prereqs 6.2.2-TIV-ITM-FP0009-IV56302 to get to correct GSKit version)
* 6.21/6.20: Upgrade to one of the versions above. Call support if unable to upgrade.
The following link contains information about accessing the patches above:
http://www.ibm.com/support/docview.wss?uid=swg24039203
NOTE: The fix for IV68044 supercedes and includes the fix for POODLE vulnerability in SSLv3 as addressed by APAR fix IV66217. Once the patch above for IV68044 is installed, the patch for IV66217 is not needed and should not be installed afterwards.
Distributed Agents
For agent systems, the patch above updates the IBM Tivoli Monitoring Shared Libraries (ax component on UNIX/Linux) or Tivoli Enterprise Monitoring Agent Framework (GL component on Windows). The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.
For Agents running on distributed environments, it is recommended to install the patch above. However, if that cannot be done, the Service Console can be disabled using the steps below to remediate the vulnerability.
NOTE: Disabling the service console using the steps below will result in the following functions to be disabledfor that agent**:**
These these steps will need to be done for each agent and agent instance on the system.
Windows:
UNIX/Linux::
**
**
The following are the Fix Packs or patches that remediate Java:
For distributed agent systems, the CANDLEHOME patches above update the shared Tivoli Enterprise-supplied JRE (jr component on UNIX/Linux) or Embedded JVM (JVM component on Windows). The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.
**
**
1. In order to resolve the vulnerability, IHS must be upgraded to the following versions:
IBM Tivoli Monitoring 623 - IHS version 7.0.0.33
IBM Tivoli Monitoring 630 - IHS version 8.0.0.9
Follow the instructions for upgrading the IBM HTTP Server in the following SMC blog post:
2. Stop the portal server.
3. Edit the IHS configuration file:
Windows: <install_dir>\IHS\conf\httpd.conf
Linux/UNIX, 623: <install_dir>/<arch>/iu/ihs/conf/httpd.conf
Linux/UNIX, 630: <install_dir>/<arch>/iu/ihs/HTTPServer/conf/httpd.conf
4. Find the virtual host section that configures HTTPS. It will be similar to that shown below. Note that if you have changed the HTTPS port to a value other than the default 15201, the port number will be different than shown below:
<VirtualHost *:15201>
DocumentRoot “/opt/IBM/ITM/lx8266/cw/”
SSLEnable
SSLProtocolDisable SSLv2
SSLProtocolDisable SSLv3
SSLProtocolEnable TLSv10
SSLProtocolEnable TLSv11
SSLProtocolEnable TLSv12
ErrorLog “/opt/IBM/ITM/lx8266/iu/ihs/HTTPServer/logs/sslerror.log”
TransferLog “/opt/IBM/ITM/lx8266/iu/ihs/HTTPServer/logs/sslaccess.log”
KeyFile “/opt/IBM/ITM/keyfiles/keyfile.kdb”
SSLStashfile “/opt/IBM/ITM/keyfiles/keyfile.sth”
SSLServerCert IBM_Tivoli_Monitoring_Certificate
</VirtualHost>
5. Add the following parameter after the SSLEnable parameter:
SSLAttributeSet 471 1
6. Restart the portal server.
**
**Portal Server Communication with Portal Clients:
Portal Server Communication with Portal Clients when configured to use SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true:
- HTTPS is not being used
- applet.html file does not have the tep.connection.protocol=http or https AND
- tep.jnlp file does not have tep.connection.protocol=https - the KFW_INTERFACE_cnps_SSL is set to “Y” in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)
Fix | VMRF | Remediation/First Fix |
---|---|---|
6.3.0-TIV-ITM-FP0005-IV74486 | 6.3.0 | http://www.ibm.com/support/docview.wss?uid=swg24040448 |
6.2.3-TIV-ITM-FP0005-IV74486 | 6.2.3 | http://www.ibm.com/support/docview.wss?uid=swg24040448 |
6.2.2-TIV-ITM-FP0009-IV74486 | 6.2.2 | http://www.ibm.com/support/docview.wss?uid=swg24040448 |
6.3.0-TIV-ITM-FP0006 | 6.3.0.x | __<http://www.ibm.com/support/docview.wss?uid=swg24040390>__ |
Check link for status on availability. |
For IBM Tivoli Monitoring 6.2.0 and 6.2.1, IBM recommends upgrading to a fixed, supported version/release of the product as listed above.
You should verify applying this fix does not cause any compatibility issues.
**
**
One of the following versions of SUF should be installed to remediate the vulnerability for POODLE for both TLS and SSLv3:
* Situation Update Forwarder 6.23 FP5 + 6.2.3.TIV-ITM-FP0005-IV66139
* Situation Update Forwarder 6.30 FP3 + 6.2.3.TIV-ITM-FP0005-IV66139
* Situation Update Forwarder 6.30 FP4
* Note: The version of SUF should match or be higher than the management server(s) it connects to send event information.
**
**
The following configuration change is required on the portal server if the protocol configured for use with communication with the portal client is using SSL over IIOP and the patch above is not installed. This is defined if the HTTPS protocol is not being used and the KFW_INTERFACE_cnps_SSL is set to “Y” in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)
Select one of the following two configuration changes:
Configure to use IIOP:
In Manage Tivoli Enterprise Monitoring Services, right-click Tivoli Enterprise Portal Server.
Click Advanced > Edit ENV file.
Find the following line:
kfw_interface_cnps_ssl=Y
Change the Y to N.
Save the file and exit.
Click** Yes** when you are asked if you want to recycle the service.
CPE | Name | Operator | Version |
---|---|---|---|
tivoli monitoring | eq | 6.3.0 | |
tivoli monitoring | eq | 6.2.3 | |
tivoli monitoring | eq | 6.2.2 | |
tivoli monitoring | eq | 6.2.1 | |
tivoli monitoring | eq | 6.2.0 |
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N