Lucene search

K
ibmIBM221573BADDA79D6BF68490001072D814021E193880E87312148C454854170DE5
HistoryJun 17, 2018 - 3:23 p.m.

Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli Monitoring (CVE-2015-2808)

2018-06-1715:23:36
www.ibm.com
6

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM Tivoli Monitoring.

Vulnerability Details

CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

The following components of IBM Tivoli Monitoring (ITM) are affected by the RC4 “Bar Mitzvah” vulnerability:

    • Tivoli Enterprise Portal Server (TEPS)
* embedded WebSphere Application Server – ITM versions 6.20 through 6.30 FP4
* IBM HTTP Server (IHS) - ITM versions 6.23 through 6.30 FP4
* Portal Server Communication with Portal Clients when configured to use SSL over IIOP protocol - ITM versions 6.20 through 6.30 FP4
  • Tivoli Enterprise Management Server (TEMS) - when LDAP is configured - ITM versions 6.20 through 6.30 FP4.

Remediation/Fixes

**

Management Server

**

If LDAP is configured for user authentication on the management server, a patch with the remediation will need to be installed. The appropriate patch below should be installed on each management server (hub and remote) where the LDAP client is configured:

  • 6.30: Install 6.3.0-TIV-ITM-FP0004-IV72812
  • 6.23: Install 6.2.3-TIV-ITM-FP0005-IV72812
  • 6.22: Install 6.2.2-TIV-ITM-FP0009-IV72812
  • 621/6.20: IBM recommends upgrading to a fixed, supported version/release of the product as listed above…

The following link contains information about accessing the patches above: _
__<http://www.ibm.com/support/docview.wss?uid=swg24039910&gt;_

You should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.

**

Portal Server

**

**

embedded WebSphere Application Server:

**

You should verify applying this fix does not cause any compatibility issues. Fix VMRF Remediation/First Fix
6.X.X-TIV-ITM_EWAS_ALL_20150731 6.3.0.x http://www.ibm.com/support/docview.wss?uid=swg24040392
Patch to upgrade the embedded WebSphere Application Server (eWAS) shipped as part of the IBM Tivoli Monitoring portal server to version 8.0.0.10 plus additional Interim Fixes referred to as Interim Fix Block 2__.__
Technote 6.2.3.x __<http://www.ibm.com/support/docview.wss?uid=swg21633720&gt;__
Contains information about installing the embedded WebSphere Application Server (eWAS) patches for IBM Tivoli Monitoring 6.23. The link gives instructions to install** **eWAS 7.0 Fix Pack 33 (7.0.0.37) and Interim Fix block 1
Technote 6.2.2.x http://www.ibm.com/support/docview.wss?uid=swg21509259
Contains information about installing the embedded WebSphere Application Server (eWAS) patches for IBM Tivoli Monitoring 6.22. The link gives instructions are to install** **eWAS 6.1 Fix Pack 47 (6.1.0.47) and Interim Fix block 2.

For IBM Tivoli Monitoring 6.2.0 and 6.2.1, IBM recommends upgrading to a fixed, supported version/release of the product as listed above.

**

IBM HTTP Server (IHS):

**
Update the configuration for the IBM HTTP Server (IHS) included as part of IBM Tivoli Monitoring portal server for versions 6.23 through 6.30 FP1. Note: Portal Server versions 6.20 through 6.22 FP9 are not affected and do not need the change below.

Edit the IBM HTTP Server configuration file httpd.conf:
Windows: Edit the file <install_dir>/IHS/conf/httpd.conf
ITM 6.2.3 on Linux/AIX: Edit the file <install_dir>/<arch>/iu/ihs/conf/httpd.conf
ITM 6.3.0 on Linux/AIX: Edit the file install_dir>/<arch>/iu/ihs/HTTPServer/conf/httpd.conf

Add the following directive to the httpd.conf file to disable RC4 ciphers for each context that contains “SSLEnable”:

SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

Stop and restart the portal server for the changes to take affect.

**

__

**Portal Server Communication with Portal Clients:

Portal Server Communication with Portal Clients when configured to use SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true:
- HTTPS is not being used
- applet.html file does not have the tep.connection.protocol=http or https AND
- tep.jnlp file does not have tep.connection.protocol=https
- the KFW_INTERFACE_cnps_SSL is set to “Y” in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)

You should verify applying this fix does not cause any compatibility issues. Fix VMRF Remediation/First Fix
6.3.0-TIV-ITM-FP0005-IV74486 6.3.0 http://www.ibm.com/support/docview.wss?uid=swg24040448
6.2.3-TIV-ITM-FP0005-IV74486 6.2.3 http://www.ibm.com/support/docview.wss?uid=swg24040448
6.2.2-TIV-ITM-FP0009-IV74486 6.2.2 http://www.ibm.com/support/docview.wss?uid=swg24040448
6.3.0-TIV-ITM-FP0006 6.3.0.x __<http://www.ibm.com/support/docview.wss?uid=swg24040390&gt;__
Check link for status on availability.

For IBM Tivoli Monitoring 6.2.0 and 6.2.1, IBM recommends upgrading to a fixed, supported version/release of the product as listed above.

You should verify applying this fix does not cause any compatibility issues.

Workarounds and Mitigations

**

Portal Server Workarounds

**
If the patches above are not installed, the following configuration changes can be made on the portal server to address the issue.

**

Embedded WebSphere Application Server (eWAS) Workaround:

**
Update the configuration for the embedded Websphere Application Server (eWAS) included as part of IBM Tivoli Monitoring portal server.

1. Ensure the portal server is running.

2. Start the TEPS/e administration console using the steps in the Starting the TEPS/e administration console section in the Administrator’s Guide or follow the steps below:
Enable the TEPS/e Administration Console:.
On Windows: Select the Tivoli Enterprise Portal server from Manage Tivoli Enterprise Monitoring Services (MTEMS), right mouse click, select Advanced –> TEPS/e Administration–> Enable TEPS/e Administration

On UNIX/Linux: Run the command:
$CANDLEHOME/<interp>/iw/scripts/enableISCLite.sh true

. Enable TEPS/e Administration Console password.
On Windows: Select the Tivoli Enterprise Portal server from MTEMS, right mouse click, select Advanced –> TEPS/e Administration–> Enable TEPS/e Password

On UNIX/Linux: Run the command:
$CANDLEHOME/<interp>/iw/scripts/updateTEPSEPass.sh wasadmin <password>

. Logon to the TEPS/e Administration Console by issuing the command:
http://<teps_hostname>:15205/ibm/console.
Use “wasadmin” as the userid and type in the password set in step 3 above.

3. On the Administration Console

* Go to Security &gt; SSL certificate and key management &gt; SSL configurations &gt; NodeDefaultSSLSettings &gt; Quality of protection (QoP)
* In the "Cipher suites" select the following ciphers from "Select ciphers" box and remove them with the "&lt;&lt; Remove" button.
  * SSL_RSA_WITH_RC4_128_MD5
  * SSL_RSA_WITH_RC4_128_SHA
  * SSL_DHE_DSS_WITH_RC4_128_SHA
* Apply/Save. 

**

Portal Server Communication with Portal Clients Workaround:

**
A configuration change is required when the portal server is configured to use the SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true:

  • HTTPS is not being used
  • applet.html file does not have the tep.connection.protocol=http or https AND
  • tep.jnlp file does not have tep.connection.protocol=https
  • the KFW_INTERFACE_cnps_SSL is set to “Y” in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)

Edit the portal server configuration file:
Windows: <install_dir>/CNPS/KFWENV
Linux/AIX: <install_dir>/config/cq.ini

Add/modify the following variable:
ITM version 6.30 through 6.30 FP4:

KFW_ORBPARM=-Dvbroker.security.server.socket.enabledProtocols=TLS_Version_1_0_Only -Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_
WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA

ITM version 620 through 6.23 FP5:
KFW_ORBPARM=-Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_
WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA
Stop and restart portal server for the changes to take affect.

You should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Related for 221573BADDA79D6BF68490001072D814021E193880E87312148C454854170DE5