IBM Support

IC67848: SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION WEAK SECURITY CVE-2009-3555

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • All customers using DB2 and relying on Secure Socket Layer v3
    (SSLv3) or any of the multiple versions of Transport Layer
    Security (TLS) in support of secure communications between a
    client and server or between server and server are impacted by a
    recently discovered weakness in the TLS and SSL v3 protocols.
    SSLv2 is not affected.
    
    The TLS/SSL weakness exists in multiple implementations of the
    Transport Layer Security (TLS) protocol, including SSL.
    
    To address the weakness in the TLS/SSL handshake renegotiation,
    IBM, along with the other members in the Industry Consortium for
    the Advancement of Security on the Internet (ICASI), are working
    together with the Internet Engineering Task Force (IETF) to
    enhance and strengthen the handshake renegotiation protocol in
    the TLS specification. This effort will take some time to
    complete.  The delivery outlook for inclusion of this enhanced
    handshake renegotiation capability in TLS protocol
    implementations is unknown at this time.
    
    In the interim, DB2 is delivering a fix to allow an installation
    to disable the TLS handshake renegotiation. The TLS handshake
    renegotiation is rarely used. Disabling the TLS handshake
    renegotiation will block a remote attacker from attempting to
    exploit the weakness in the TLS protocol. After installing this
    fix, the default setting will disable the TLS handshake
    renegotiation. The fix also provides the user with an option to
    re-enable renegotiation if warranted. TLS handshake
    renegotiation should be re-enabled only if absolutely necessary
    and with a clear understanding and acceptance of the potential
    security risks.
    
    It is the recommendation of IBM to install all Security and
    System Integrity PTFs applicable to z/OS and any installed
    FMIDs. To determine whether PTFs are needed,  customers should
    follow normal procedures in obtaining security/integrity PTFs
    from IBM for z/OS. The IBM System z policy restricts
    distribution of security and system integrity APARs to reduce
    the risk of exposure. Customer representatives who have been
    authorized for System z Security Access can obtain
    Security/Integrity information, including SMP/E Enhanced HOLD
    DATA, for all security/integrity APARs.  Please see the URL
    http://www.vm.ibm.com/devpages/spera/aparinfo.html  for details
    on the procedures authorizing access to IBM System z
    security/integrity information. Security/integrity service
    information should be checked on a regular basis and PTFs
    applied as soon as possible to eliminate potential risks.
    
    Special note for IBM WebSphere MQ customers:
    Customer using IBM WebSphere MQ may need to install APAR
    IZ64859(zOS MQ V6 is PM01584 and zOS MQ V7 PM01586). After
    installing the TLS/SSL renegotiation disablement fixes, MQ SSL
    Secret Key Reset function - controlled by the QMGR attribute
    SSLRKEYC  or equivalent WMQ client variables - will no longer
    function until APAR IZ64859 has been installed.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All DB2 Servers on all Linux, Unix and Windows platforms     *
    * using GSKit versions below v7.0.4.27.                        *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See Error Description.                                       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Install the GSKit v7.0.4.27 or beyond.   GSKit is used for   *
    * if Secure Socket Layer (SSL) support.   If you not using SSL *
    * then it is not necesary to upgrade.  If you do need to       *
    * upgrade, It is only necessary to upgrade the GSKit on DB2    *
    * Servers.  The DB2 clients do not need to have their GSKit    *
    * upgraded.                                                    *
    ****************************************************************
    

Problem conclusion

  • You can obtain the latest GSKit libraries from the IBM DB2
    Support Files for SSL Functionality DVD.  Alternatively, you
    can install from an image that you downloaded from Passport
    Advantage.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC67848

  • Reported component name

    DB2 FOR LUW

  • Reported component ID

    DB2FORLUW

  • Reported release

    910

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-04-13

  • Closed date

    2010-04-22

  • Last modified date

    2010-08-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IC68054 IC68055

Fix information

  • Fixed component name

    DB2 FOR LUW

  • Fixed component ID

    DB2FORLUW

Applicable component levels

  • R910 PSN

       UP



Document information

More support for: DB2 for Linux, UNIX and Windows

Software version: 9.1

Reference #: IC67848

Modified date: 17 August 2010


Translate this page: