Security Bulletin
Summary
The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects IBM® Runtime Environment Java™ Technology Edition that is used by IBM Tivoli Monitoring (ITM).
GSKit is an IBM component that is used by IBM Tivoli Monitoring. The GSKit that is shipped with IBM Tivoli Monitoring contains a security vulnerability for the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. ITM has addressed the CVE.
Vulnerability Details
CVEID: CVE-2015-0138
DESCRIPTION: A vulnerability in various IBM SSL/TLS implementations could allow a remote attacker to downgrade the security of certain SSL/TLS connections. An IBM SSL/TLS client implementation could accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers.
This vulnerability is also known as the FREAK attack.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/#/vulnerabilities/100691 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
The Java remediation below also includes fixes for the following CVEs:
CVEID: CVE-2014-6593
DESCRIPTION: An unspecified vulnerability related to the JSSE component has partial confidentiality impact, partial integrity impact, and no availability impact.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100153 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVEID: CVE-2015-0410
DESCRIPTION: An unspecified vulnerability related to the Security component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100151 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
The following components of IBM Tivoli Monitoring (ITM) are affected by this vulnerability
- Portal server when configured to use SSL over IIOP - ITM versions 6.2.0 through 6.3.0 FP4
- Java (CANDLEHOME) - ITM Java-based agents using JSSE. - ITM versions 6.2.2 through 6.3.0 FP4
- GSKit - portal server, monitoring servers, and agents - ITM versions 6..20 through 6.2.1 FP4
Remediation/Fixes
Java (CANDLEHOME) Remediation:
The IBM Tivoli Monitoring servers and base agents (those shipped as part of IBM Tivoli Monitoring Fix Packs) are not affected by this vulnerability. Only Java-based agents utilizing Java Secure Socket Extension (JSSE) which rely on the JRE in the IBM Tivoli Monitoring installation directory (for example, CANDLEHOME) can be affected. Agents affected will publish separate security bulletins and reference this bulletin for the remediation.
For systems where the affected agents are installed, the patch below (or later patch) should be installed which will update the shared Tivoli Enterprise-supplied JRE (jr component on UNIX/Linux) or Embedded JVM (JVM component on Windows).
You should verify applying this fix does not cause any compatibility issues.
| Fix | VMRF | APAR | Remediation/First Fix |
| 6.X.X-TIV-ITM_JRE_CANDLEHOME-20150409 | 6.2.2 through 6.3.0 FP4 | None. | http://www.ibm.com/support/docview.wss?uid=swg24039756 |
| 6.3.0-TIV-ITM-FP0005 | 6.3.0.x | None. | http://www.ibm.com/support/docview.wss?uid=swg24039236 |
The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.
Portal Server:
Portal Server Communication with Portal Clients:
Portal Server Communication with Portal Clients when configured to use SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true:
- HTTPS is not being used
- applet.html file does not have the tep.connection.protocol=http or https AND
- tep.jnlp file does not have tep.connection.protocol=https
- the KFW_INTERFACE_cnps_SSL is set to "Y" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)
| Fix | VMRF | Remediation/First Fix |
| 6.3.0-TIV-ITM-FP0005-IV74486 | 6.3.0 | http://www.ibm.com/support/docview.wss?uid=swg24040448 |
| 6.2.3-TIV-ITM-FP0005-IV74486 | 6.2.3 | http://www.ibm.com/support/docview.wss?uid=swg24040448 |
| 6.2.2-TIV-ITM-FP0009-IV74486 | 6.2.2 | http://www.ibm.com/support/docview.wss?uid=swg24040448 |
| 6.3.0-TIV-ITM-FP0006 | 6.3.0.x | http://www.ibm.com/support/docview.wss?uid=swg24040390 Check link for status on availability. |
For IBM Tivoli Monitoring 6.2.0 and 6.2.1, IBM recommends upgrading to a fixed, supported version/release of the product as listed above.
You should verify applying this fix does not cause any compatibility issues.
GSKit Remediation:
The GSKit with IBM Tivoli Monitoring 6.2.0 through 6.2.1 FP4 is affected. Customers running IBM Tivoli Monitoring version 6.2.0 through 6.2.1.FP4 should upgrade to 6.2.2 or higher for the IBM Tivoli Monitoring infrastrucutre (e.g. portal server, monitoring servers). Call support if unable to upgrade. Recommend to upgrade to 6.22 FP9, 6.23 FP5, or 6.30 FP4 (or higher).
For IBM Tiovli Monitoring 6.2.0 and 6.2.1 Agents, once the infrastructure is at 6.2.2 (or higher), then the shared components of the agents need to be upgraded to the same level. The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents contains the commands that can be used to upgrade the shared components (e.g. GSKit).
Workarounds and Mitigations
Portal Server Communication with Portal Clients Workaround:
A configuration change is required when the portal server is configured to use the SSL over IIOP protocol if the patch above is not installed.. SSL over IIOP is being used if both conditions below are true:
- HTTPS is not being used
- applet.html file does not have the tep.connection.protocol=http or https AND
- tep.jnlp file does not have tep.connection.protocol=https
- the KFW_INTERFACE_cnps_SSL is set to "Y" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)
Edit the portal server configuration file:
Windows: <install_dir>/CNPS/KFWENV
Linux/AIX: <install_dir>/config/cq.ini
Add/modify the following variable:
ITM version 6.30 through 6.30 FP4:
KFW_ORBPARM=-Dvbroker.security.server.socket.enabledProtocols=TLS_Version_1_0_Only -Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_
WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA
ITM version 620 through 6.23 FP5:
KFW_ORBPARM=-Dvbroker.security.cipherList=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_RSA_
WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA
Stop and restart portal server for the changes to take affect.
Get Notified about Future Security Bulletins
References
Change History
09 April 2015: Original Version Published
31 July 2015: Updated to include patch for "Portal Server Communication with Portal Clients" which can be used instead of the manual workaound.
17 May 2016: Updated expiration date for document.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
Advisory
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21701519