Security Bulletin: Vulnerability with Diffie-Hellman ciphers affects IBM Tivoli Netcool Service Quality Manager (CVE-2015-4000)

Summary

The Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects IBM Tivoli Netcool Service Quality Manager.

Vulnerability Details

CVEID: CVE-2015-4000**
DESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as “Logjam”.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects Tivoli Netcool Service Quality Manager 4.1.4

Remediation/Fixes

IBM has provided patches for all affected versions.
The IBM Java Runtime Environment Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 11 can be downloaded from the IBM Fix Central site:
<https://delivery04.dhe.ibm.com/sar/CMA/WSA/05f7p/0/j564redist.tar.gz&gt;

To install the patch the following procedure has to be performed on TNSQM servers:

$ sap stop
$ sapmon stop
$ sapmgr stop
$ cd ${WMCROOT}/java
$ mv jre jre.old
$ gunzip -c <location of patch>/j564redist.tar.gz | tar -xf -
$ sapmon start
$ sapmgr start
$ sap start

The Logjam attack which affects TLS connections using the Diffie-Hellman (DH) key exchange protocol may affect some configurations in WebSphere Application Server. WebSphere Application Server has DH and DHE ciphers included in the “STRONG” or “HIGH”, “MEDIUM” and “LOW” cipher lists. They also could be present if you have a “CUSTOM” list of ciphers. You will need to remove any of the ciphers that begin with SSL_* or TLS_* that also have DH or DHE in the Name from your WebSphere Application Server SSL configuration. This does NOT include ciphers that have ECDH or ECDHE in the Name, these are elliptic curve Diffie-Hellman ciphers and they are not affected.

You can view the administrative console page to change the settings, click Security > SSL certificate and key management. Under Configuration settings, click** Manage endpoint security configurations > {Inbound | Outbound} >****ssl_configuration. Under Related items, clickSSL configurations > . Click on {SSL_configuration_name }. UnderAdditional Properties**, clickQuality of protection (QoP) settings.
For more information on the Quality of Protection settings refer to the Knowledge Center:http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/usec_sslqualprotect.html?lang=en

Workarounds and Mitigations

None