5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
69.3%
The RC4 “Bar Mitzvah” SSL/TLS may affect some configurations of the IBM HTTP Server and some configurations of the IBM Caching Proxy for WebSphere Application Server.
CVEID: CVE-2015-2808**
DESCRIPTION:** The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as “Bar Mitzvah Attack”.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
The following IBM HTTP Server (IHS) and IBM Caching Proxy for WebSphere Application Server may be affected:
For affected IBM HTTP Server for WebSphere Application Server:
The recommended solutions is to apply the interim fix, Fix Pack or PTF containing APAR PI34229 for each named product as soon as practical. APAR PI34229 defaults to remove the RC4 ciphers from the default list that is used if you do not specify any ciphers.
NOTE: If you specify any ciphers, you will also need to perform some of the steps in the mitigation section.
**
For V8.5.0.0 through 8.5.5.5 Full Profile:**
· Upgrade to a minimum of Fix Pack 8.5.5.2 or later then apply Interim Fix PI34229
--OR–
· Apply Fix Pack 8.5.5.6 or later.
**
For V8.0 through 8.0.0.10:**
· Upgrade to a minimum of Fix Pack 8.0.0.9 or later and then apply Interim Fix PI34229
--OR–
· Apply Fix Pack 8.0.0.11 or later.
**
For V7.0.0.0 through 7.0.0.37:**
· Upgrade to a minimum of Fix Pack 7.0.0.33 or later and then apply Interim Fix PI34229
--OR–
· Apply Fix Pack 7.0.0.39 or later.
You should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change this setting you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.
For unsupported versions IBM recommends upgrading to a fixed support version of the product.
For affected IBM HTTP Server for WebSphere Application Server:
IBM recommends disabling RC4 in IBM HTTP Server. To disable RC4, complete the steps below:
For Version 8.0 and later:
Note: On z/OS, SSLFIPSEnable is only available in 8.5.5.0 and later and is set once globally instead of per-virtual host.
SSLCipherSpec ALL -SSL_RSA_WITH_RC4_128_SHA -SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec 34
SSLCipherSpec 35`
3. Review the current configuration for SSL ciphers configured via SSLCipherSpec directives with at least two arguments each that add an RC4-based cipher.
Search for either “RC4” or the numbers “34” and “35” within SSLCipherSpec directives and removethe corresponding ciphers.
``
SSLCipherSpec TLSv1 +TLS_RSA_WITH_AES_128_CVC_SHA
Do this for all the ‘SSLCipherSpec’ directives.
**
For Versions 6.0, 6.1, or 7.0:**
One way to mitigate this issue is to turn on FIPS140-2 support which will both disable RC4 by default and result in a startup error if RC4 is inadvertently enabled.
``
For each existing ‘SSLEnable’ in your IHS configuration, add ‘SSLFIPSEnable’
If you do not wish to enable FIPS140-2 support or if you run into a complication, you may do all of the following, whichever applies to your configuration:
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5 SSLCipherSpec 34 SSLCipherSpec 35
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHAFor affected IBM Caching Proxy for WebSphere Application Server:
IBM recommends disabling RC4 in IBM Caching Proxy. To disable RC4, complete the steps below:
For Version 8.5.5.5 and later:
A simple way to mitigate this issue is to turn on FIPS140-2 support which will both disable RC4 by default and remove any RC4 ciphers added inadvertently. To enable FIPS140-2, add the directive ‘FIPSEnable on’’
If you cannot enable FIPS140-2 support or if you run into a complication, you must complete all of the following to disable RC4:
`
TLS_RSA_WITH_RC4_128_SHA(05)
TLS_RSA_WITH_RC4_128_MD5(04)
2. In V3Cipherspecs directive, remove** **any references to the following ciphers:
TLS_RSA_WITH_RC4_128_SHA(05)
TLS_RSA_WITH_RC4_128_MD5(04)
TLS_RSA_EXPORT_WITH_RC4_40_MD5(03)
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA(64) `
3. In V2Cipherspecs directive, remove any references to the following ciphers:
``
1-RC4 US
2-RC4 Export
**
For Versions 8.5.5.4 and earlier:**
A simple way to mitigate this issue is to turn on FIPS140-2 support which will both disable RC4 by default and remove any RC4 ciphers added inadvertently. To enable FIPS140-2, add the directive ‘FIPSEnable on’’
If you cannot enable FIPS140-2 support or if you run into a complication, you must complete all of the following to disable RC4:
TLS_RSA_WITH_RC4_128_SHA(05)
TLS_RSA_WITH_RC4_128_MD5(04)
TLS_RSA_EXPORT_WITH_RC4_40_MD5(03)
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA(64) `
2. In V2Cipherspecs directive, remove any references to the following ciphers:
``
1-RC4 US
CPE | Name | Operator | Version |
---|---|---|---|
ibm http server | eq | 8.5.5 | |
ibm http server | eq | 8.5 | |
ibm http server | eq | 8.0 | |
ibm http server | eq | 7.0 | |
ibm http server | eq | 6.1 | |
websphere application server | eq | any |