IBM Support

IJ07855: FOR IBMJCEPLUS AND IBMJCEPLUSFIPS PROVIDERS, THE DEPENDENT LIBRARY 'IBM CRYPTO FOR C MODULE' HAS BEEN UPGRADED.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
.
Stack Trace: N/A
.
N/A

Local fix

  • 



Problem summary


    

  • For IBMJCEPlus and IBMJCEPlusFIPS providers, the dependent
library 'IBM Crypto for C module' has been upgraded.

    



Problem conclusion


    

  • For IBMJCEPlus and IBMJCEPlusFIPS providers, the dependent
library 'IBM Crypto for C module' has been upgraded.

The dependent library for IBMJCEPlus provider has been upgraded
from version 8.5.38.0 to 8.7.6.0

The dependent library for IBMJCEPlusFIPS provider has been
upgraded from version 8.4.1.0 to 8.6.0.0

The upgrade fixes three Common Vulnerabilities and
Exposures(CVE) and extends the sunset date for FIPS 140-2
certification.

FIPS 140-2 certification:

The IBM Crypto for C module, version 8.6.0.0, is now FIPS 140-2
certified till 11/13/2022 and the new certificate is available
at the URL

https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-P
rogram/Certificate/3064

The new version of the underlying native library used by
IBMJCEPlus and IBMJCEPlusFIPS added support for some algorithms,
which are not yet supported by IBMJCEPlus and IBMJCEPlusFIPS.
These are:

RSA-PSS algorithm for digital signature and verification.
HMAC-SHA3 algorithms for message authentication code.
SHA3 algorithms for creating message digests.
AES-CTR algorithm for data encryption and decryption.

Refer to the IBM SDK documentation for further details.

Common Vulnerabilities and Exposures:

The upgrade fixes three CVEs  and the conditions under which the
vulnerabilities are applicable are listed below.

Performing DSA key operations with either IBMJCEPlus or
IBMJCEPlusFIPS providers will require applying the upgrade to
fix the vulnerability CVE-2016-0705.

CVEID: CVE-2016-0705
DESCRIPTION: OpenSSL is vulnerable to a denial of service,
caused by a double-free error when parsing DSA private keys. An
attacker could exploit this vulnerability to corrupt memory and
cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for
the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Performing RSA, DSA operations with either IBMJCEPlus or
IBMJCEPlusFIPS providers, on a 64 bit Windows platform, will
require applying the upgrade to fix the vulnerabilities
CVE-2017-3732 and CVE-2017-3736.

CVEID: CVE-2017-3732
DESCRIPTION: OpenSSL could allow a remote attacker to obtain
sensitive information, caused by a carry propagating bug in the
x86_64 Montgomery squaring procedure. An attacker could exploit
this vulnerability to obtain information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for
the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)


CVEID: CVE-2017-3736
DESCRIPTION: OpenSSL could allow a remote attacker to obtain
sensitive information, caused by a carry propagation flaw in the
x86_64 Montgomery squaring function bn_sqrx8x_internal(). An
attacker with online access to an unpatched system could exploit
this vulnerability to obtain information about the private key.
CVSS Base Score: 5.9
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for
the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)


The associated Hursley RTC Problem Report is: 138002

JVMs affected: Java 8.0

The fix was delivered for Java 8 SR5 FP20

The upgrade does not require any changes to IBMJCEPlus.jar.

The build level of this jar for the affected releases is - NA
.
This APAR will be fixed in the following Java Releases:
   8    SR5 FP20  (8.0.5.20)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
Service Refreshes and Fix Packs can be found at:
           https://www.ibm.com/developerworks/java/jdk/

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ07855
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    620700125
    • 

  • Reported release
    270
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-07-16
    • 

  • Closed date
    2018-07-16
    • 

  • Last modified date
    2018-07-16
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    620700125
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 December 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback