Security Bulletin: IBM Security Access Manager Appliance has released a fix in response to the vulnerabilities known as Spectre and Meltdown

Summary

IBM has released the following fixes for IBM Security Access Manager Appliance in response to CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754.

Vulnerability Details

CVEID: CVE-2017-5753

CVEID: CVE-2017-5715

CVEID: CVE-2017-5754

Affected Products and Versions

Affected Product Name

| Affected Versions
—|—
IBM Security Access Manager for Web | 7.0 - 7.0.0.34
IBM Security Access Manager for Web | 8.0 - 8.0.1.7
IBM Security Access Manager for Mobile | 8.0 - 8.0.1.7
IBM Security Access Manager | 9.0-9.0.4.0

Remediation/Fixes

Product

| VRMF |APAR|**Remediation **
—|—|—|—
IBM Security Access Manager for Web | 7.0 - 7.0.0.34 | IJ06994 | Apply Interim Fix 35:
7.0.0-ISS-WGA-IF0035
IBM Security Access Manager for Web | 8.0 - 8.0.1.7 | IJ06985 | Upgrade to 8.0.1.8:
8.0.1-ISS-WGA-FP0008_ _
IBM Security Access Manager for Mobile | 8.0 - 8.0.1.7 | IJ06991 | Upgrade to 8.0.1.8:
8.0.1-ISS-ISAM-FP0008
IBM Security Access Manager | 9.0-9.0.4.0 | IJ06985 | Upgrade to 9.0.5.0:
9.0.5-ISS-ISAM-FP0000

Please note that there is a potential change to performance when the Spectre/Meltdown fixes are applied. As a result, the Spectre/Meltdown fixes are disabled by defaultin some environments.

In ISAM 9, the fixes are disabled by default on the following two hypervisors:
- XenServer
- Amazon Web Services (AWS)
The fix is enabled by default in all other ISAM 9 environments.

In ISAM 7 & 8 environments, the Spectre/Meltdown fixes are disabled by default in allenvironments.

Administrators can use the following Advanced Tuning Parameter to enable and disable the Spectre/Meltdown fixes. You can change the value for this Advanced Tuning Parameter in the local management interface by selecting Manage System Settings > System Settings > Advanced Tuning Parameters.

kernel.disable.spectre = true/false

true - indicates that the fix is disabled.
false - indicates that the fix will be enabled.

IBM recommends using a value of kernel.disable.spectre = false in all ISAM environments.Administrators are advised to evaluate the performance in their environments and make deployment adjustments accordingly.

Performance impact summary

Administrators can expect performance degradation after they enable the mitigation for the vulnerability. Processing times are impacted and as such, users submitting browser-based requests are likely to experience increased response times.

The impact on appliance performance is estimated to be in the 0% to 10% range for most IBM Security Access Manager environments.

However, for XenServer and Amazon Web Service (AWS) environments, testing has shown that the impact on performance from 0% to upwards of 20%.

Due to the nature of more complex environments, this performance degradation may be higher.

Workarounds and Mitigations

None