Security Bulletin: Sweet32 Birthday attacks on 64-bit block ciphers in TLS affect Content Manager for z/OS (CVE-2016-2183)

Summary

System SSL’s SSL V2, SSL V3 and TLS protocols support the use of Triple DES ciphers and are susceptible to the Sweet32 Birthday attack vulnerability. This vulnerability affects exploiters acting as either clients or servers. Content Manager 8 Resource Manager on z/OS uses System SSL and addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2016-2183** **
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the in the Triple-DES on 64-bit block cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.

CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Content Manager for z/OS 8.5

Remediation/Fixes

_Fix_*

| VRMF|APAR|How to acquire fix
—|—|—|—
Content Manager for z/OS_ 8.5_| _ 8.5.05 and earlier_| None| Apply 8.5.0.6 Fix Pack UI42940 and UI42941
Contact L2 Support for acquiring the Fix Pack.