Lucene search

K
ibmIBM2E6D778793B990B68E72041D95DBC2B227927F08D97BCA9E118EC96F940B7A01
HistoryAug 25, 2020 - 12:33 p.m.

Security Bulletin: BEAST security vulnerability in IBM Tivoli Netcool Performance Manager for Wireline( CVE-2011-3389)

2020-08-2512:33:00
www.ibm.com
23
beast vulnerability
ibm tivoli netcool
wireline
tls 1.0
tlsv1.2
encryption
websphere server

EPSS

0.006

Percentile

78.8%

Summary

Browser Exploit Against SSL/TLS (a.k.a. BEAST) vulnerability is observed. In TLS 1.0 and earlier, it is possible to predict the Initialization Vector (IV) of the block cipher encryption. This allows a man-in-the-middle attacker to guess the plaintext being encrypted. The affected products are in TLS 1.0 and earlier.

Vulnerability Details

**Third Party Entry:**PSIRT-ADV0016851
DESCRIPTION:
CVSS Base score: 4.7
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected Products and Versions

Affected Product(s) Version(s)
TNPM Wireline 1.4.0
TNPM Wireline 1.4.1
TNPM Wireline 1.4.2
TNPM Wireline 1.4.3
TNPM Wireline 1.4.4
TNPM Wireline 1.4.5

Remediation/Fixes

This issue can be addressed by disabling TLS below version TLSv1.2 and just keep TLSv1.2

  1. Modify this file:

…/IBM/WebSphere/AppServer/products/sklm/config/SKLMConfig.properties

Look for property
TransportListener.ssl.protocols = SSL_TLS
Update the property to have value TLSv1.2, as shown below:
TransportListener.ssl.protocols=TLSv1.2

This will only enable TLS version 1.2.
Save the file

  1. Log in to WAS Admin Console.

Security > ‘SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings’.
WAS GUI - Security > SSL certificate and key management, and under Related Items, click SSL configurations.
Select each SSL Configuration described below, like NodeDefaultSSLSettings - Quality of protection (QoP) settings under Additional Properties – Protocol – select desired protocol: TLSv1.2 - Apply and Save.

  1. Modify this file:

…/IBM/WebSphere/AppServer/profiles/KLMProfile/properties/ssl.client.props
Look for property
‘com.ibm.ssl.protocol’

Update the property to have value TLSv1.2, as shown below:
com.ibm.ssl.protocol=TLSv1.2

Save the file

  1. Restart WebSphere Server.

Workarounds and Mitigations

None