Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli Monitoring for Tivoli Storage Manager (CVE-2015-2808)
The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM Tivoli Monitoring for Tivoli Storage Manager.
DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack".
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
The following components of IBM Tivoli Monitoring for Tivoli Storage Manager (Reporting and Monitoring) are affected by the RC4 "Bar Mitzvah" vulnerability:
- IBM Tivoli Monitoring for Tivoli Storage Manager (Reporting) 6.1 - 7.1
The solution provided is for IBM Tivoli Monitoring for Tivoli Storage Manager versions 6.3 and 7.1.
|You can either apply the security fix to IBM Tivoli Monitoring or make the configuration changes in the workaround section.|
Note: The following table provides the security fixes for IBM Tivoli Monitoring for Tivoli Storage Manager version 6.3 - 7.1
|IBM Tivoli Monitoring for Tivoli Storage Manager Version (Reporting and Monitoring)||Fix||Remediation/First Fix|
Prerequisite ITM 6.2.2 FP 9 must be applied first.
Prerequisite ITM 6.3.0 FP 4 must be applied first.
Extended support customers using IBM Tivoli Monitoring versions 6.2 or 6.1 for Tivoli Storage Manager should contact IBM support.
You should verify applying this fix does not cause any compatibility issues. The fix disables RC4 stream cipher by default. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.
Workarounds and Mitigations
Note: You only need to perform these configuration changes if you do not wish to apply the security fixes to IBM Tivoli Monitoring.
Configuration changes are needed on the following components on the portal server.
Embedded WebSphere Application Server (eWAS)
Update the configuration for the embedded Websphere Application Server (eWAS) included as part of IBM Tivoli Monitoring portal server.
1. Ensure the portal server is running.
2. Start the TEPS/e administration console using the steps in the Starting the TEPS/e administration console section in the Administrator's Guide or follow the steps below:
Enable the TEPS/e Administration Console:.
On Windows: Select the Tivoli Enterprise Portal server from Manage Tivoli Enterprise Monitoring Services (MTEMS), right mouse click, select Advanced --> TEPS/e Administration--> Enable TEPS/e Administration
On UNIX/Linux: Run the command:
. Enable TEPS/e Administration Console password.
On Windows: Select the Tivoli Enterprise Portal server from MTEMS, right mouse click, select Advanced --> TEPS/e Administration--> Enable TEPS/e Password
On UNIX/Linux: Run the command:
$CANDLEHOME/<interp>/iw/scripts/updateTEPSEPass.sh wasadmin <password>
. Logon to the TEPS/e Administration Console by issuing the command:
Use "wasadmin" as the userid and type in the password set in step 3 above.
3. On the Administration Console
- Go to Security > SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of proection (QoP)
- In the "Cipher suites" select the following ciphers from "Select ciphers" box and remove them with the "<< Remove" button.
IBM HTTP Server (IHS)
Update the configuration for the IBM HTTP Server (IHS) included as part of IBM Tivoli Monitoring portal server for versions 6.23 through 6.30 FP1. Note: Portal Server versions 6.20 through 6.22 FP9 are not affected and do not need the change below.
Edit the IBM HTTP Server configuration file httpd.conf:
Windows: Edit the file <install_dir>/IHS/conf/httpd.conf
ITM 6.2.3 on Linux/AIX: Edit the file <install_dir>/<arch>/iu/ihs/conf/httpd.conf
ITM 6.3.0 on Linux/AIX: Edit the file install_dir>/<arch>/iu/ihs/HTTPServer/conf/httpd.conf
Add the following directive to the httpd.conf file to disable RC4 ciphers for each context that contains "SSLEnable":
Stop and restart the portal server for the changes to take affect.
Portal Server Communication with Portal Clients
A configuration change is required when the portal server is configured to use the SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true:
- HTTPS is not being used
- applet.html file does not have the tep.connection.protocol=http or https AND
- tep.jnlp file does not have tep.connection.protocol=https
- the KFW_INTERFACE_cnps_SSL is set to "Y" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)
Edit the portal server configuration file:
Add/modify the following variable:
ITM version 6.30 through 6.30 FP4:
ITM version 620 through 6.23 FP5:
Stop and restart portal server for the changes to take affect.
You should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.
Get Notified about Future Security Bulletins
ReferencesComplete CVSS v2 Guide
On-line Calculator v2
Related informationIBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
More support for:
Tivoli Storage Manager
Software version: All Supported Versions
Operating system(s): AIX, Linux, Windows
Software edition: All Editions
Reference #: 1902793
Modified date: 03 April 2017
Translate this page: