Lucene search

K
ibmIBMB84C78D03D986BF322F4DAA6A582BF37937165F4BFD024C3BA31CB8D635DDAEA
HistoryJul 18, 2020 - 11:22 p.m.

Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM Infosphere BigInsights (CVE-2015-4000)

2020-07-1823:22:56
www.ibm.com
19

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

Summary

The Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects IBM Infosphere BigInsights.

Vulnerability Details

CVEID: CVE-2015-4000**
DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as “Logjam”.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM InfoSphere BigInsights 1.1.0, 1.2.0, 1.3.0,1.4.0, 2.0, 2.1, 2.1.2, 3.0, 3.0.0.1, 3.0.0.2, 4.0

Remediation/Fixes

Update JVM as a fix for all affected releases of BigInsights.

Workarounds and Mitigations

For BI 3.x or earlier

  1. Upgrade to a Java version that corrects the vulnerability

To obtain a fix pack, go to <http://www.ibm.com/developerworks/java/jdk/linux/download.html&gt; and download an updated edition of Java for Linux, **Platform:**64-bit AMD/Opteron/EM64T

BigInsights products use:

Java SE Version 7 for BI 3.x
* IBM SDK, Java Technology Edition, Version 7, Release 1, Service Refresh 3, Fix Pack 1
* IBM SDK, Java Technology Edition, Version 7, Service Refresh 9, Fix Pack 1
* Java SE Version 6 for BI versions earlier than 3.x
* IBM SDK, Java Technology Edition, Version 6.0.1 (J9 VM2.6), Service Refresh 8, Fix Pack 5
* IBM SDK, Java Technology Edition, Version 6, Service Refresh 16, Fix Pack 5

2. To confirm that vulnerability does not exist

After updating the Java version

  1. Enable https and configure with self created certificate
  2. Using Firefox 38.0.1. ESR or later, you will not see an error similar to the attachment: check_if_vulnerable.png

For BI 4.0

Knox

  1. Upgrade to openjdk java version “1.7.0_79” (critical security upgrade)
  • yum install java-1.7.0-openjdk-devel java-1.7.0-openjdk
    2. Modify /etc/ambari-server/conf/ambari.properties for ambari to pick up openjdk-1.7.0.79
  • java.home=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.79.x86_64
    3. Stop Knox server from Ambari
    4. Backup your script, /usr/iop/current/knox-server/bin/gateway.sh
    5. Update /usr/iop/current/knox-server/bin/gateway.sh with “gateway.shgateway.sh
    6. Re-start Knox server from Ambari

Ambari
If only using ambari-server setup-security to set SSL self signed (non CA certificate), follow these steps:

  1. From Ambari server node command line, run: “ambari-server stop”
  2. Backup your script, /var/lib/ambari-agent/ambari-env.sh
  3. Upgrade to openjdk java version “1.7.0_79” (critical security upgrade)
  4. Update /var/lib/ambari-agent/ambari-env.sh with “ambari-env.shambari-env.sh
  5. Start Ambari server, run: “ambari-server start”

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N