IBMFDF9FD00EFCC980759F170CDD7E7B4194C96047EAB6D513B03471DE0D5A423DCSecurity Bulletin: Vulnerability in IBM Java Runtime affects IBM Tivoli Monitoring (CVE-2015-0138)
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects IBM® Runtime Environment Java™ Technology Edition that is used by IBM Tivoli Monitoring (ITM).
GSKit is an IBM component that is used by IBM Tivoli Monitoring. The GSKit that is shipped with IBM Tivoli Monitoring contains a security vulnerability for the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. ITM has addressed the CVE.
Vulnerability Details
CVEID: CVE-2015-0138**
DESCRIPTION:** A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
**
**
The Java remediation below also includes fixes for the following CVEs:
CVEID: CVE-2014-6593
DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100153> for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2015-0410
DESCRIPTION: An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/100151> for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
The following components of IBM Tivoli Monitoring (ITM) are affected by this vulnerability
- Portal server when configured to use SSL over IIOP - ITM versions 6.2.0 through 6.3.0 FP4
- Java (CANDLEHOME) - ITM Java-based agents using JSSE. - ITM versions 6.2.2 through 6.3.0 FP4
- GSKit - portal server, monitoring servers, and agents - ITM versions 6…20 through 6.2.1 FP4
Remediation/Fixes
**
Java (CANDLEHOME) Remediation:
**
The IBM Tivoli Monitoring servers and base agents (those shipped as part of IBM Tivoli Monitoring Fix Packs) are not affected by this vulnerability. Only Java-based agents utilizing Java Secure Socket Extension (JSSE) which rely on the JRE in the IBM Tivoli Monitoring installation directory (for example, CANDLEHOME) can be affected. Agents affected will publish separate security bulletins and reference this bulletin for the remediation.
For systems where the affected agents are installed, the patch below (or later patch) should be installed which will update the shared Tivoli Enterprise-supplied JRE (jr component on UNIX/Linux) or Embedded JVM (JVM component on Windows).
You should verify applying this fix does not cause any compatibility issues.
| Fix | VMRF | APAR | Remediation/First Fix |
|---|---|---|---|
| 6.X.X-TIV-ITM_JRE_CANDLEHOME-20150409 | 6.2.2 through 6.3.0 FP4 | None. | http://www.ibm.com/support/docview.wss?uid=swg24039756 |
| 6.3.0-TIV-ITM-FP0005 | 6.3.0.x | None. | http://www.ibm.com/support/docview.wss?uid=swg24039236 |
The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.
**
Portal Server:
__
**Portal Server Communication with Portal Clients:
Portal Server Communication with Portal Clients when configured to use SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true:
- HTTPS is not being used
- applet.html file does not have the tep.connection.protocol=http or https AND
- tep.jnlp file does not have tep.connection.protocol=https
- the KFW_INTERFACE_cnps_SSL is set to “Y” in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)
| Fix | VMRF | Remediation/First Fix |
|---|---|---|
| 6.3.0-TIV-ITM-FP0005-IV74486 | 6.3.0 | http://www.ibm.com/support/docview.wss?uid=swg24040448 |
| 6.2.3-TIV-ITM-FP0005-IV74486 | 6.2.3 | http://www.ibm.com/support/docview.wss?uid=swg24040448 |
| 6.2.2-TIV-ITM-FP0009-IV74486 | 6.2.2 | http://www.ibm.com/support/docview.wss?uid=swg24040448 |
| 6.3.0-TIV-ITM-FP0006 | 6.3.0.x | __<http://www.ibm.com/support/docview.wss?uid=swg24040390>__ |
| Check link for status on availability. |
For IBM Tivoli Monitoring 6.2.0 and 6.2.1, IBM recommends upgrading to a fixed, supported version/release of the product as listed above.
You should verify applying this fix does not cause any compatibility issues.
**
GSKit Remediation:
**
The GSKit with IBM Tivoli Monitoring 6.2.0 through 6.2.1 FP4 is affected. Customers running IBM Tivoli Monitoring version 6.2.0 through 6.2.1.FP4 should upgrade to 6.2.2 or higher for the IBM Tivoli Monitoring infrastrucutre (e.g. portal server, monitoring servers). Call support if unable to upgrade. Recommend to upgrade to 6.22 FP9, 6.23 FP5, or 6.30 FP4 (or higher).
For IBM Tiovli Monitoring 6.2.0 and 6.2.1 Agents, once the infrastructure is at 6.2.2 (or higher), then the shared components of the agents need to be upgraded to the same level. The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents contains the commands that can be used to upgrade the shared components (e.g. GSKit).
Workarounds and Mitigations
**
__
**Portal Server Communication with Portal Clients Workaround:
A configuration change is required when the portal server is configured to use the SSL over IIOP protocol if the patch above is not installed… SSL over IIOP is being used if both conditions below are true:
- HTTPS is not being used
- applet.html file does not have the tep.connection.protocol=http or https AND
- tep.jnlp file does not have tep.connection.protocol=https
- the KFW_INTERFACE_cnps_SSL is set to “Y” in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)
Edit the portal server configuration file:
Windows: <install_dir>/CNPS/KFWENV
Linux/AIX: <install_dir>/config/cq.ini
Add/modify the following variable:
ITM version 6.30 through 6.30 FP4:
KFW_ORBPARM=-Dvbroker.security.server.socket.enabledProtocols=TLS_Version_1_0_Only -Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_
WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA
ITM version 620 through 6.23 FP5:
KFW_ORBPARM=-Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_
WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA
Stop and restart portal server for the changes to take affect.
- You should verify applying this configuration change does not cause any compatibility issues.
| CPE | Name | Operator | Version |
|---|---|---|---|
| tivoli monitoring | eq | 6.3.0 | |
| tivoli monitoring | eq | 6.2.3 | |
| tivoli monitoring | eq | 6.2.2 | |
| tivoli monitoring | eq | 6.2.1 | |
| tivoli monitoring | eq | 6.2.0 |
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P