Security Bulletin: Vulnerability in TLS affects IBM Tivoli Monitoring (CVE-2014-8730 )

Summary

A new variant of the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack for TLS may affect IBM Tivoli Monitoring (ITM).

Vulnerability Details

CVEID: CVE-2014-8730 **
DESCRIPTION:** Product could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/99216&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

The following components of IBM Tivoli Monitoring (ITM) are affected by the TLS vulnerability:

• Portal server, distributed management server, and distributed agents:
  • GSKit – 6.20 through 6.30 FP4
  • Java - 6.20 through 6.30 FP1
• Portal server – IBM HTTP Server (IHS) – 6.23 through 6.30 FP4
• Portal server – Portal Clients – using SSL/IIOP 6.20 through 6.30 FP4
• Situation Update Forwarder (SUF) - see section under Remediation/Fixes.

Remediation/Fixes

**

Portal Server, Distrbitued Management Servers, and Distrbitued Agents

**

**

GSKit Remediation:

**
The following patches are provided to address the issue with TLS in common code that is shared across ITM components. The following patches should be installed on each portal server, distributed management server (hub and remote), and ITM distributed agent systems (unless the Service Console is disabled, see below):

* 6.30: Install 6.3.0-TIV-ITM-FP0004-IV68044
* 6.23: Install 6.2.3-TIV-ITM-FP0005-IV68044
* 6.22: Install 6.2.2-TIV-ITM-FP0009-IV68044 (prereqs 6.2.2-TIV-ITM-FP0009-IV56302 to get to correct GSKit version)
* 6.21/6.20: Upgrade to one of the versions above. Call support if unable to upgrade.

The following link contains information about accessing the patches above:
http://www.ibm.com/support/docview.wss?uid=swg24039203

NOTE: The fix for IV68044 supercedes and includes the fix for POODLE vulnerability in SSLv3 as addressed by APAR fix IV66217. Once the patch above for IV68044 is installed, the patch for IV66217 is not needed and should not be installed afterwards.

Distributed Agents
For agent systems, the patch above updates the IBM Tivoli Monitoring Shared Libraries (ax component on UNIX/Linux) or Tivoli Enterprise Monitoring Agent Framework (GL component on Windows). The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.

For Agents running on distributed environments, it is recommended to install the patch above. However, if that cannot be done, the Service Console can be disabled using the steps below to remediate the vulnerability.

NOTE: Disabling the service console using the steps below will result in the following functions to be disabledfor that agent**:**

• SOAP requests
• tacmd commands
• dynamic trace
  For this reason, HTTP_SERVER:N should be configured on agent endpoints ONLY and only if these functions are not needed by the user or agents installed on that system.

These these steps will need to be done for each agent and agent instance on the system.

Windows:

• From the MTEMS, right-click on the agent or agent instance and select Advanced…Edit Variables.
• Select KDC_FAMILIES. Add “HTTP_SERVER:N” to the beginning. For example,
  HTTP_SERVER:N @Protocol@ Save the value.
• Restart the agent or agent instance.

UNIX/Linux::

• Update the <pc>.ini file and locate the line ‘KDC_FAMILIES’. Add “HTTP_SERVER:N” to the front of the line. For example, if the default line looks like:
  KDC_FAMILIES=$NETWORKPROTOCOL$
  Change it to the following
  KDC_FAMILIES=HTTP_SERVER:N $NETWORKPROTOCOL$
• For multi-instance agents, if the <pc>_<instance>.config file exists, edit it and locate the ‘KDC_FAMILIES’. Add “HTTP_SERVER:N” to the front of the line. For example, if the default line looks like:
  export KDC_FAMILIES=‘ip.pipe port:1918 ip.spipe use:n sna use:n ip use:n ip6.pipe use:n ip6.spipe use:n ip6 use:n’ Change it to the following: export KDC_FAMILIES=‘HTTP_SERVER:N ip.pipe port:1918 ip.spipe use:n sna use:n ip use:n ip6.pipe use:n ip6.spipe use:n ip6 use:n’
• Restart the agent or agent instance

**

Java Remediation:

**
The following are the Fix Packs or patches that remediate Java:

• 6.30: Install 6.30 FP2 or later
• 6.23
  • 6.23 through 6.23 FP3:
    • Install 6.X.X-TIV-ITM_JRE_TEP_6.13.02.00 or later
    • Install 6.X.X-TIV-ITM_JRE_CANDLEHOME_6.15.01.00
  • 6.23 FP4 through 6.23 FP5:
    • Install 6.X.X-TIV-ITM_JRE_CANDLEHOME_6.15.01.00
• 6.22
  • Install 6.X.X-TIV-ITM_JRE_TEP_5.16.02.00 or later
  • Install 6.X.X-TIV-ITM_JRE_CANDLEHOME_5.16.06.00
• 6.21/6.20: Upgrade to one of the versions above. Call support if unable to upgrade.

For distributed agent systems, the CANDLEHOME patches above update the shared Tivoli Enterprise-supplied JRE (jr component on UNIX/Linux) or Embedded JVM (JVM component on Windows). The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.

**

Portal server - IBM HTTP Server (IHS)

**
1. In order to resolve the vulnerability, IHS must be upgraded to the following versions:

IBM Tivoli Monitoring 623 - IHS version 7.0.0.33
IBM Tivoli Monitoring 630 - IHS version 8.0.0.9

Follow the instructions for upgrading the IBM HTTP Server in the following SMC blog post:

<https://www.ibm.com/developerworks/community/blogs/0587adbc-8477-431f-8c68-9226adea11ed/entry/apply_maintenance_to_the_ibm_http_server_installed_with_ibm_tivoli_monitoring?lang=en&gt;

2. Stop the portal server.

3. Edit the IHS configuration file:

Windows: <install_dir>\IHS\conf\httpd.conf
Linux/UNIX, 623: <install_dir>/<arch>/iu/ihs/conf/httpd.conf
Linux/UNIX, 630: <install_dir>/<arch>/iu/ihs/HTTPServer/conf/httpd.conf
4. Find the virtual host section that configures HTTPS. It will be similar to that shown below. Note that if you have changed the HTTPS port to a value other than the default 15201, the port number will be different than shown below:

<VirtualHost *:15201>
DocumentRoot “/opt/IBM/ITM/lx8266/cw/”
SSLEnable
SSLProtocolDisable SSLv2
SSLProtocolDisable SSLv3
SSLProtocolEnable TLSv10
SSLProtocolEnable TLSv11
SSLProtocolEnable TLSv12
ErrorLog “/opt/IBM/ITM/lx8266/iu/ihs/HTTPServer/logs/sslerror.log”
TransferLog “/opt/IBM/ITM/lx8266/iu/ihs/HTTPServer/logs/sslaccess.log”
KeyFile “/opt/IBM/ITM/keyfiles/keyfile.kdb”
SSLStashfile “/opt/IBM/ITM/keyfiles/keyfile.sth”
SSLServerCert IBM_Tivoli_Monitoring_Certificate
</VirtualHost>

5. Add the following parameter after the SSLEnable parameter:

SSLAttributeSet 471 1
6. Restart the portal server.

**

__

**Portal Server Communication with Portal Clients:

Portal Server Communication with Portal Clients when configured to use SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true:
- HTTPS is not being used

- applet.html file does not have the tep.connection.protocol=http or https AND
- tep.jnlp file does not have tep.connection.protocol=https - the KFW_INTERFACE_cnps_SSL is set to “Y” in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)

For IBM Tivoli Monitoring 6.2.0 and 6.2.1, IBM recommends upgrading to a fixed, supported version/release of the product as listed above.

You should verify applying this fix does not cause any compatibility issues.

**

Situation Update Forwarder (SUF)

**
One of the following versions of SUF should be installed to remediate the vulnerability for POODLE for both TLS and SSLv3:

* Situation Update Forwarder 6.23 FP5 + 6.2.3.TIV-ITM-FP0005-IV66139 
* Situation Update Forwarder 6.30 FP3 + 6.2.3.TIV-ITM-FP0005-IV66139 
* Situation Update Forwarder 6.30 FP4
* Note: The version of SUF should match or be higher than the management server(s) it connects to send event information. 

Workarounds and Mitigations

**

Portal Server Communication with Portal Clients Workaround

**
The following configuration change is required on the portal server if the protocol configured for use with communication with the portal client is using SSL over IIOP and the patch above is not installed. This is defined if the HTTPS protocol is not being used and the KFW_INTERFACE_cnps_SSL is set to “Y” in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)

Select one of the following two configuration changes:
Configure to use IIOP:
In Manage Tivoli Enterprise Monitoring Services, right-click Tivoli Enterprise Portal Server.
Click Advanced > Edit ENV file.
Find the following line:
kfw_interface_cnps_ssl=Y
Change the Y to N.
Save the file and exit.
Click** Yes** when you are asked if you want to recycle the service.

• Configure to use HTTPS on 6.30 FP2 or higher, by updating one of the files below:
• applet.html file has the tep.connection.protocol=http or https -OR-
• tep.jnlp file has the tep.connection.protocol=https