5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
The RC4 “Bar Mitzvah” Attack for SSL/TLS affects InfoSphere BigInsights.
CVEID: CVE-2015-2808 **
DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Customers who have Secure Sockets Layer (SSL) support enabled for any of the BigInsights components.
IBM InfoSphere BigInsights 2.0, 2.1, 2.1.2, 3.0, 3.0.0.1, 3.0.0.2, 4.0
For versions 2.1.2, 2.1, and 2.0: Apply the Interim fix which will remove RC4 cipher suites from the default list of enabled cipher suites. After downloading the BigInsights IBM Java version 1.6 Service Refresh 16 Fix Pack 3 from fixcentral perform the following steps to replace the default JDK as BigInsights Administrator:
Steps below assume that the new JDK is_ ibm-java-sdk-6.0-16.3-linux-x86_64.tgz_, and the current JDK is ibm-java-sdk-6.0-12.0-linux-x86_64.tgz. Replace the file names with the version of the new JDK for your platform and with the current version installed on your system.
cd $BIGINSIGHTS_HOME
mv jdk/ jdk_orig
sudo chmod 777 ibm-java-sdk-6.0-16.3-linux-x86_64.tgz
sudo chown biadmin:biadmin ibm-java-sdk-6.0-16.3-linux-x86_64.tgz
tar zxvf ibm-java-sdk-6.0-16.3-linux-x86_64.tgz
mv ibm-java-x86_64-60 jdk
mv $BIGINSIGHTS_HOME/hdm/jdk $BIGINSIGHTS_HOME/hdm/jdk_orig
cp -r $BIGINSIGHTS_HOME/jdk $BIGINSIGHTS_HOME/hdm/
Run the following command from console node against all other nodes in the cluster ( node is the name of the non-console node)
Run the following commands on the console node:
Sync configuration, and restart the BigInsights:
$BIGINSIGHTS_HOME/bin/sysncconf.sh
$BIGINSIGHTS_HOME/bin/start-all.sh
$BIGINSIGHTS_HOME/bin/healthcheck.sh
For other versions affected by this vulnerability, follow the instuctions in the mitigation section.
This vulnerability can be mitigated by disabling RC4 in the IBM Java security file, and enable FIPS mode in the LDAP security plugin-in configuration file for Big SQL.
For versions 3.0, 3.0.0.1, 3.0.0.2
Follow the mitigation instruction below as BigInsights Administrator to disable RC4 in IBM Java:
Locate the java.security file on console node under $BIGINSIGHTS_HOME/hdm/jdk/jre/lib/security/java.security
Edit the java.security file and turn off RC4 by adding: jdk.tls.disabledAlgorithms=SSLv3,RC4
Recreate jdk.tar.gz to include the new version of the java.security file on the console node
Run the following command from console node against all other nodes in the cluster ( node is the name of the non-console node)
On each node:
Restart BigInsights: $BIGINSIGHTS_HOME/bin/start-all.sh
For versions 3.0, 3.0.0.1, 3.0.0.2, and 4.0
Customers who have Secure Sockets Layer (SSL) support enabled in their client configuration using LDAP security plug-in to communicate with LDAP server for Big SQL should follow the instructions below to mitigate the problem. SSL support is not enabled in LDAP security plug-in by default.
Mitigation instructions:
Customers should enable FIPS mode in LDAP security plugin-in as follows:
; FIPS_MODE
; To set SSL encryption FIPS mode on or off.
; Optional; Valid values are true (on) and false (off). Defaults to
; false (FIPS mode off).
FIPS_MODE = true