Security Bulletin: Vulnerability in RC4 stream cipher affects the VMware GUI in Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and Tivoli Storage FlashCopy Manager for VMware (CVE-2015-2808)

Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects the VMware GUI used by Tivoli Storage Manager for Virtual Environments: Data Protection for VMware 7.1 and Tivoli Storage FlashCopy Manager for VMware 4.1.

Vulnerability Details

CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

The VMware GUI component is affected which affects the following products and versions:

• Tivoli Storage Manager for Virtual Environments: Data Protection for VMware 7.1.0.0 through 7.1.1.x
• FlashCopy Manager for VMware 4.1.0.0 through 4.1.1.x

Remediation/Fixes

Tivoli Storage Manager for VE: Data Protection for VMware Release

| First Fixing VRMF Level|Client Platform|Link to Fix / Fix Availability Target
—|—|—|—
7.1| 7.1.2| Linux
Windows| <http://www.ibm.com/support/docview.wss?uid=swg24039450&gt;

**_Tivoli Storage

You should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.

Workarounds and Mitigations

Direct the GUI’s Liberty profile webserver to disable use of the SSLv3 and older protocols. This is done by editing the webserver configuration to set the minimum protocol to be Transport Layer Security (TLS) 1.0.

Use the following procedure to edit the webserver configuration:

1. Locate the file server.xml in its current directory:
Windows: C:\IBM\tivoli\tsm\tdpvmware\webserver\usr\servers\veProfile
Linux: /opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfile

2. Edit the server.xml file with a text editor as follows:
a) Locate the existing line that starts with <keyStore id=“defaultKeyStore” …
b) Insert the following 2 lines below it:
<ssl id=“veSSLConfig” sslProtocol=“TLS” keyStoreRef=“defaultKeyStore”/>
_ <sslDefault sslRef=“veSSLConfig”/> _
c) Save the changes to server.xml

3. In same directory as server.xml, save the jvm.options file that is attached to this bulletin and located after the Disclaimer.

4. Restart the webserver as follows:
Windows:
a. Click Start > Control Panel > Administrative Tools > Services
b. Right-click Data Protection for VMware Web Server Service and click Restart

Linux: Issue the following command as root:
service webserver restart

The GUI is now operational with SSLv3 and older protocols disabled.

You should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.