Security Bulletin: Vulnerability in RC4 stream cipher affects InfoSphere BigInsights (CVE-2015-2808)

Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects InfoSphere BigInsights.

Vulnerability Details

CVEID: CVE-2015-2808 **
DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Customers who have Secure Sockets Layer (SSL) support enabled for any of the BigInsights components.

IBM InfoSphere BigInsights 2.0, 2.1, 2.1.2, 3.0, 3.0.0.1, 3.0.0.2, 4.0

Remediation/Fixes

For versions 2.1.2, 2.1, and 2.0: Apply the Interim fix which will remove RC4 cipher suites from the default list of enabled cipher suites. After downloading the BigInsights IBM Java version 1.6 Service Refresh 16 Fix Pack 3 from fixcentral perform the following steps to replace the default JDK as BigInsights Administrator:

Steps below assume that the new JDK is_ ibm-java-sdk-6.0-16.3-linux-x86_64.tgz_, and the current JDK is ibm-java-sdk-6.0-12.0-linux-x86_64.tgz. Replace the file names with the version of the new JDK for your platform and with the current version installed on your system.

1. Stop InfoSphere BigInsights: $BIGINSIGHTS_HOME/bin/stop-all.sh
2. Upload the new IBM JDK to console node in the $BIGINSIGHTS_HOME directory
3. Run the following commands on the BigInsights console node:

• cd $BIGINSIGHTS_HOME

• mv jdk/ jdk_orig

• sudo chmod 777 ibm-java-sdk-6.0-16.3-linux-x86_64.tgz

• sudo chown biadmin:biadmin ibm-java-sdk-6.0-16.3-linux-x86_64.tgz

• tar zxvf ibm-java-sdk-6.0-16.3-linux-x86_64.tgz

• mv ibm-java-x86_64-60 jdk

• mv $BIGINSIGHTS_HOME/hdm/jdk $BIGINSIGHTS_HOME/hdm/jdk_orig

• cp -r $BIGINSIGHTS_HOME/jdk $BIGINSIGHTS_HOME/hdm/

• Run the following command from console node against all other nodes in the cluster ( node is the name of the non-console node)

  • ssh node “mv $BIGINSIGHTS_HOME/jdk $BIGINSIGHTS_HOME/jdk_orig”
  • scp -r $BIGINSIGHTS_HOME/jdk**_ node_****:**$BIGINSIGHTS_HOME/

• Run the following commands on the console node:

  • cd $BIGINSIGHTS_HOME/hdm/artifacts
  • mv ibm-java-sdk-6.0-12.0-linux-x86_64.tgz ibm-java-sdk-6.0-12.0-linux-x86_64.tgz_orig
  • cp $BIGINSIGHTS_HOME/ibm-java-sdk-6.0-16.3-linux-x86_64.tgz ibm-java-sdk-6.0-12.0-linux-x86_64.tgz
  • cd $BIGINSIGHTS_HOME/hdm/todeploy
  • mv jdk.tar.gz jdk.tar.gz_orig
  • mv jdk.tar.gz.cksum jdk.tar.gz.cksum_orig
  • syncconf.sh
  • cp jdk.tar.gz.cksum $BIGINSIGHTS_HOME/jdk/.deploy.cksum
  • For each node ( where node is the name of the non-console node) :
    • scp $BIGINSIGHTS_HOME/jdk/.deploy.cksum node:$BIGINSIGHTS_HOME/jdk/.deploy.cksum

• Sync configuration, and restart the BigInsights:
  $BIGINSIGHTS_HOME/bin/sysncconf.sh
  $BIGINSIGHTS_HOME/bin/start-all.sh
  $BIGINSIGHTS_HOME/bin/healthcheck.sh

For other versions affected by this vulnerability, follow the instuctions in the mitigation section.

Workarounds and Mitigations

This vulnerability can be mitigated by disabling RC4 in the IBM Java security file, and enable FIPS mode in the LDAP security plugin-in configuration file for Big SQL.

For versions 3.0, 3.0.0.1, 3.0.0.2

Follow the mitigation instruction below as BigInsights Administrator to disable RC4 in IBM Java:

1. Stop InfoSphere BigInsights: $BIGINSIGHTS_HOME/bin/stop-all.sh
2. On console node update the java.security file to turn off RC4

• Locate the java.security file on console node under $BIGINSIGHTS_HOME/hdm/jdk/jre/lib/security/java.security

• Edit the java.security file and turn off RC4 by adding: jdk.tls.disabledAlgorithms=SSLv3,RC4

• Recreate jdk.tar.gz to include the new version of the java.security file on the console node

  • cd $BIGINSIGHTS_HOME/hdm/todeploy
  • mv jdk.tar.gz jdk.tar.gz.orig
  • mv jdk.tar.gz.cksum jdk.tar.gz.cksum.orig
  • syncconf.sh
  • cp $BIGINSIGHTS_HOME/hdm/todeploy/jdk.tar.gz.cksum $BIGINSIGHTS_HOME/jdk/.deploy.cksum

• Run the following command from console node against all other nodes in the cluster ( node is the name of the non-console node)

  • ssh node mv $BIGINSIGHTS_HOME/jdk/.deploy.cksum $BIGINSIGHTS_HOME/jdk/.deploy.cksum.orig
  • scp $BIGINSIGHTS_HOME/jdk/.deploy.cksum node:$BIGINSIGHTS_HOME/jdk/.deploy.cksum

• On each node:

  • Locate the java.security file used by the BigInsights: $BIGINSIGHTS_HOME/jdk/jre/lib/security/java.security
  • Edit the java.security file and turn off RC4 by adding: jdk.tls.disabledAlgorithms=SSLv3,RC4

• Restart BigInsights: $BIGINSIGHTS_HOME/bin/start-all.sh

For versions 3.0, 3.0.0.1, 3.0.0.2, and 4.0

Customers who have Secure Sockets Layer (SSL) support enabled in their client configuration using LDAP security plug-in to communicate with LDAP server for Big SQL should follow the instructions below to mitigate the problem. SSL support is not enabled in LDAP security plug-in by default.

Mitigation instructions:

Customers should enable FIPS mode in LDAP security plugin-in as follows:

1. As the Big SQL instance owner, open up the LDAP security plugin-in configuration file The default name and location for the IBM LDAP security plug-in configuration file is:

• "BIGSQL_HOME/sqllib/cfg/IBMLDAPSecurity.ini .
• Optionally, it could be resided in the location defined by the DB2LDAPSecurityConfig environment variable
• Search for the FIPS_MODE configuration parameter in the file and change its value to true. Save and close the file.

; FIPS_MODE
; To set SSL encryption FIPS mode on or off.
; Optional; Valid values are true (on) and false (off). Defaults to
; false (FIPS mode off).
FIPS_MODE = true