IBM Support

IJ07855: FOR IBMJCEPLUS AND IBMJCEPLUSFIPS PROVIDERS, THE DEPENDENT LIBRARY 'IBM CRYPTO FOR C MODULE' HAS BEEN UPGRADED.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
    .
    Stack Trace: N/A
    .
    N/A
    

Local fix

Problem summary

  • For IBMJCEPlus and IBMJCEPlusFIPS providers, the dependent
    library 'IBM Crypto for C module' has been upgraded.
    

Problem conclusion

  • For IBMJCEPlus and IBMJCEPlusFIPS providers, the dependent
    library 'IBM Crypto for C module' has been upgraded.
    
    The dependent library for IBMJCEPlus provider has been upgraded
    from version 8.5.38.0 to 8.7.6.0
    
    The dependent library for IBMJCEPlusFIPS provider has been
    upgraded from version 8.4.1.0 to 8.6.0.0
    
    The upgrade fixes three Common Vulnerabilities and
    Exposures(CVE) and extends the sunset date for FIPS 140-2
    certification.
    
    FIPS 140-2 certification:
    
    The IBM Crypto for C module, version 8.6.0.0, is now FIPS 140-2
    certified till 11/13/2022 and the new certificate is available
    at the URL
    
    https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-P
    rogram/Certificate/3064
    
    The new version of the underlying native library used by
    IBMJCEPlus and IBMJCEPlusFIPS added support for some algorithms,
    which are not yet supported by IBMJCEPlus and IBMJCEPlusFIPS.
    These are:
    
    RSA-PSS algorithm for digital signature and verification.
    HMAC-SHA3 algorithms for message authentication code.
    SHA3 algorithms for creating message digests.
    AES-CTR algorithm for data encryption and decryption.
    
    Refer to the IBM SDK documentation for further details.
    
    Common Vulnerabilities and Exposures:
    
    The upgrade fixes three CVEs  and the conditions under which the
    vulnerabilities are applicable are listed below.
    
    Performing DSA key operations with either IBMJCEPlus or
    IBMJCEPlusFIPS providers will require applying the upgrade to
    fix the vulnerability CVE-2016-0705.
    
    CVEID: CVE-2016-0705
    DESCRIPTION: OpenSSL is vulnerable to a denial of service,
    caused by a double-free error when parsing DSA private keys. An
    attacker could exploit this vulnerability to corrupt memory and
    cause a denial of service.
    CVSS Base Score: 3.7
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for
    the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
    
    Performing RSA, DSA operations with either IBMJCEPlus or
    IBMJCEPlusFIPS providers, on a 64 bit Windows platform, will
    require applying the upgrade to fix the vulnerabilities
    CVE-2017-3732 and CVE-2017-3736.
    
    CVEID: CVE-2017-3732
    DESCRIPTION: OpenSSL could allow a remote attacker to obtain
    sensitive information, caused by a carry propagating bug in the
    x86_64 Montgomery squaring procedure. An attacker could exploit
    this vulnerability to obtain information about the private key.
    CVSS Base Score: 5.3
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for
    the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
    
    
    CVEID: CVE-2017-3736
    DESCRIPTION: OpenSSL could allow a remote attacker to obtain
    sensitive information, caused by a carry propagation flaw in the
    x86_64 Montgomery squaring function bn_sqrx8x_internal(). An
    attacker with online access to an unpatched system could exploit
    this vulnerability to obtain information about the private key.
    CVSS Base Score: 5.9
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for
    the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
    
    
    The associated Hursley RTC Problem Report is: 138002
    
    JVMs affected: Java 8.0
    
    The fix was delivered for Java 8 SR5 FP20
    
    The upgrade does not require any changes to IBMJCEPlus.jar.
    
    The build level of this jar for the affected releases is - NA
    .
    This APAR will be fixed in the following Java Releases:
       8    SR5 FP20  (8.0.5.20)
    .
    Contact your IBM Product's Service Team for these Service
    Refreshes and Fix Packs.
    For those running stand-alone, information about the available
    Service Refreshes and Fix Packs can be found at:
               https://www.ibm.com/developerworks/java/jdk/
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ07855

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    270

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-07-16

  • Closed date

    2018-07-16

  • Last modified date

    2018-07-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels



Document information

More support for: Runtimes for Java Technology
Security

Software version: 270

Reference #: IJ07855

Modified date: 16 July 2018