Lucene search

K
ibmIBM29687AF8C77B1B380581C7B76C863B078995151B56F0F908E108D3AB6EBE7340
HistoryAug 03, 2018 - 4:23 a.m.

Security Bulletin: Vulnerability in RC4 stream cipher affects TPF Toolkit (CVE-2015-2808)

2018-08-0304:23:43
www.ibm.com
21

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Summary

The RC4 “Bar Mitzvah Attack” for Secure Socket Layer (SSL) and Transport Layer Security (TLS) affects TPF Toolkit.

Vulnerability Details

CVEID: CVE-2015-2808

DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

TPF Toolkit 4.0.x and 4.2.x

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
TPF Toolkit| 4.2.x| JR53501|

  1. Install the latest version of IBM Installation Manager.

  2. Apply Interim Fix 4.2.4 by using IBM Installation Manager.

  3. Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from http://www.ibm.com/developerworks/java/jdk/
    TPF Toolkit| 4.0.x| JR53500|

  4. Install the latest version of IBM Installation Manager.

  5. Apply Interim Fix 4.0.7 by using IBM Installation Manager.

  6. Update the Java installation on your z/OS or Linux on z Systems (or both) systems that the TPF Toolkit connects to. Download the latest version of Java from http://www.ibm.com/developerworks/java/jdk/

Workarounds and Mitigations

For TPF Toolkit 4.0.x and 4.2.x, you can disable the RC4 encryption algorithm for the IBM® Runtime Environment Java™ Technology Edition, Version 7 that is used by TPF Toolkit and the DSTORE server on any remote systems. To disable the RC4 encryption algorithm, complete the following steps:

  1. Close TPF Toolkit.
  2. Navigate to the %TPFHOME%\jdk\jre\lib\security directory, and add or update the jdk.tls.disabledAlgorithms property in the java.security file to include the RC4 encryption algorithm:
    jdk.tls.disabledAlgorithms=SSLv3, RC4
  3. On each remote system that hosts a DSTORE server for TPF Toolkit, navigate to the $JAVA_HOME\jre\lib\security directory and add or update the jdk.tls.disabledAlgorithms property in the java.security file to include the RC4 encryption algorithm:
    jdk.tls.disabledAlgorithms=SSLv3, RC4
    Note:$JAVA_HOME is the installation directory for Java on the remote systems.
  4. Restart TPF Toolkit.

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Related for 29687AF8C77B1B380581C7B76C863B078995151B56F0F908E108D3AB6EBE7340