Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMEA38DCD9E6C0EDF4B7CF2FA132F86A1976E7E76ACE396ED88D6E0C536094C74D
HistoryNov 25, 2020 - 9:51 a.m.

Security Bulletin: Passwords stored in reversible manner in Security Key Lifecycle Manager (SKLM) (CVE-2020-4568)

2020-11-2509:51:15
www.ibm.com
5

0.0004 Low

EPSS

Percentile

5.1%

JSON

Summary

The ssl.client.props in WebSphere Application Server uses the weak WAS XOR protection mechanism for keystore and truststore passwords. Security Key Lifecycle Manager v4.0 adds code to encrypt these instead. There are some manual steps required to make use of the new capability in v4.0.

Vulnerability Details

CVEID:CVE-2020-4568
**DESCRIPTION:**IBM Tivoli Key Lifecycle Manager stores user credentials in plain in clear text which can be read by a local user.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184157 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Key Lifecycle Manager 3.0.1
IBM Security Key Lifecycle Manager 3.0
IBM Security Key Lifecycle Manager 4.0

Remediation/Fixes

Product Remediation/First Fix
IBM Security Key Lifecycle Manager SKLM v4.0

Install Security Key Lifecycle Manager v4.0 and perform the following steps:

1. Stop WebSphere Application Server.
2. Take a backup of the following files:

Windows:

  1. <WAS_HOME>\bin\stopServer.bat
  2. <WAS_HOME>\bin\serverStatus.bat
  3. <WAS_HOME>\bin\wsadmin.bat

Linux:

  1. <WAS_HOME>/bin/stopServer_org.sh
  2. <WAS_HOME>/bin/serverStatus.sh
  3. <WAS_HOME>/bin/wsadmin_org.sh

3. Complete these steps for each backed-up file mentioned in above step based on the operating system:

Windows:

a. Open the following file stopServer.batand serverStatus.batin edit mode and locate the following text:

&gt;&gt; %TMPJAVAPROPFILE% echo com.ibm.ffdc.log=%FFDCLOG%

b. On a new line after the located text, add the following lines:

&gt;&gt; %TMPJAVAPROPFILE% echo com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=true
&gt;&gt; %TMPJAVAPROPFILE% echo com.ibm.wsspi.security.crypto.customPasswordEncryptionClass=com.ibm.tklm.obfuscation.handlers.SKLMWASPasswordEncryptionHandler

c. Save the file and close it.

d. Open the wsadmin.batin edit mode and locate the following text:

>> %TMPJAVAPROPFILE% echo com.ibm.ws.ffdc.log=%USER_INSTALL_ROOT%/logs/ffdc/

e. On a new line after the located text, add the following lines:

>> %TMPJAVAPROPFILE% echo com.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=true
>> %TMPJAVAPROPFILE% echo com.ibm.wsspi.security.crypto.customPasswordEncryptionClass=com.ibm.tklm.obfuscation.handlers.SKLMWASPasswordEncryptionHandler

f. Save the file and close it.

Linux:

a. Open the following file stopServer_org.shandserverStatus.shin edit mode and locate the following text:

D_ARGS="-Dws.ext.dirs

b. At the end of above line after the located text, add the following text:

-Dcom.ibm.wsspi.security.crypto.customPasswordEncryptionClass=com.ibm.tklm.obfuscation.handlers.SKLMWASPasswordEncryptionHandler"

Make sure you remove the double quotes in the located text above and add the new text after space.

c. Save the file and close it.

d. Open the following file wsadmin_org.shin edit mode and locate the following text:

-Dcom.ibm.ffdc.log=“${USER_INSTALL_ROOT}/logs/ffdc/” \

e. On a new line after the located text, add the following lines:

-Dcom.ibm.wsspi.security.crypto.customPasswordEncryptionEnabled=true \
-Dcom.ibm.wsspi.security.crypto.customPasswordEncryptionClass=com.ibm.tklm.obfuscation.handlers.SKLMWASPasswordEncryptionHandler \

f. Save the file and close it.

4. Navigate to the bin directory under <WAS_HOME>.

Windows: Open the command prompt and change directory to &lt;WAS_HOME&gt;\bin directory.
Linux: Open the terminal and change directory to &lt;WAS_HOME&gt;/bin directory.

5. Run the following command:

Windows:

PropFilePasswordEncoder_ce.bat “<WAS_HOME>\profiles\KLMProfile\properties\ssl.client.props” “com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePassword”

Example:

PropFilePasswordEncoder_ce.bat "c:\Program Files\IBM\WebSphere\AppServer\profiles\KLMProfile\properties\ssl.client.props"  "com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePassword"

where, WAS_HOME = C:\Program Files\IBM\WebSphere\AppServer

Linux:

PropFilePasswordEncoder_ce.sh “<WAS_HOME>/profiles/KLMProfile/properties/ssl.client.props” “com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePassword”

Example:

PropFilePasswordEncoder_ce.sh "/opt/IBM/WebSphere/AppServer/profiles/KLMProfile/properties/ssl.client.props"   "com.ibm.ssl.keyStorePassword,com.ibm.ssl.trustStorePassword"

where, WAS_HOME = /opt/IBM/WebSphere/AppServer

6. Start WebSphere AppServer Server.

Note - A future release of the product will automatically handle these steps during installation.

Workarounds and Mitigations

None

Related

cve 1
cvelist 1
nvd 1
prion 1
cve
cve
CVE-2020-4568
2020-11-10 15:15:12
cvelist
cvelist
CVE-2020-4568
2020-11-09 00:00:00
nvd
nvd
CVE-2020-4568
2020-11-10 15:15:12
prion
prion
Sql injection
2020-11-10 15:15:00

0.0004 Low

EPSS

Percentile

5.1%

JSON
Related for EA38DCD9E6C0EDF4B7CF2FA132F86A1976E7E76ACE396ED88D6E0C536094C74D
cve1cvelist1nvd1prion1