Security Bulletin: Multiple vulnerabilities in IBM Java SDK and in Diffie-Hellman ciphers affects IBM InfoSphere Information Server (CVE-2015-0478 CVE-2015-0488 CVE-2015-1916 CVE-2015-4000)

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 6 and 7 that are used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in April 2015. This bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol (CVE-2015-4000).

OpenSSL is vulnerable to the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol (CVE-2015-4000). OpenSSL is used by the Progress Software DataDirect Connect ODBC drivers which are shipped as a component of IBM InfoSphere Information Server. The Progress Software DataDirect Connect ODBC drivers have addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2015-0478**
DESCRIPTION:*An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102339 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID:CVE-2015-0488**
DESCRIPTION:*An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102336 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID:CVE-2015-1916**
DESCRIPTION:*Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101995 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-4000**
DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as “Logjam”.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, and 11.3

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
InfoSphere Information Server| 11.3| JR53275
JR53677| --Follow instructions in the README
--Upgrade toDataDirect ODBC drivers version 7.1.5
--Use TechNote to choose which OpenSSL version the drivers will use
--Use TechNote to follow additional post installation configuration steps
InfoSphere Information Server| 9.1| JR53275
JR53677| --Update your java.security file to add
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768
--Apply JR53275 on all tiers
--Upgrade toDataDirect ODBC drivers version 7.1.5
--Use TechNote to choose which OpenSSL version the drivers will use
--Use TechNote to follow additional post installation configuration steps
InfoSphere Information Server| 8.7| JR53275
JR53677| --Apply IBM InfoSphere Information Server version 8.7 Fix Pack 2
--Update your java.security file to add
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768
--Apply JR53275 on all tiers
--Upgrade toDataDirect ODBC drivers version 7.1.5
--Use TechNote to choose which OpenSSL version the drivers will use
--Use TechNote to follow additional post installation configuration steps
InfoSphere Information Server| 8.5| JR53275
JR53677| --Apply IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Update your java.security file to add
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768
--Apply JR53275 on all tiers
--Upgrade toDataDirect ODBC drivers version 7.1.5
--Use TechNote to choose which OpenSSL version the drivers will use
--Use TechNote to follow additional post installation configuration steps

For CVE-2015-4000:
1. As the length of the server key size is increased, the amount of CPU required for full TLS/SSL handshake can significantly increase. Please carefully test and assess the impact to your CPU requirements to ensure sufficient CPU resources, otherwise the system availability may be impacted.

2. You should verify that applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions.

For IBM InfoSphere Information Server version 8.1, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

If for any reason, all of the fixes listed above cannot be applied, CVE-2015-4000 may be mitigated as follows:

For the DataDirect ODBC drivers, in all InfoSphere Information Server releases, turn off the use of all DHE cipher suites in the DataDirect ODBC drivers. The list of cipher suites used by the drivers can be found at:** ****_
_**_http://media.datadirect.com/download/docs/odbc/allodbc/help.html?ga=1.236687233.1889495448.1411436493#page/reference/rfi1359986340742.html **
**The drivers have a hidden connection option named CipherList to control which cipher suites can be used by the driver. For information on the format of CipherList, refer to <https://www.openssl.org/docs/man1.0.2/apps/ciphers.html&gt;

For WebSphere Application Server, mitigation information can be found in the Security Bulletin <http://www-01.ibm.com/support/docview.wss?uid=swg21957980&gt;**.**

For CVE-2015-4000:
1. As the length of the server key size is increased, the amount of CPU required for full TLS/SSL handshake can significantly increase. Please carefully test and assess the impact to your CPU requirements to ensure sufficient CPU resources, otherwise the system availability may be impacted.

2. You should verify that applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions.