IBM Support

Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2015-4000)

Security Bulletin


Summary

The Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol may affect IBM Sterling B2B Integrator and IBM Sterling File Gateway based on customer configuration and use.

Vulnerability Details

CVE ID: CVE-2015-4000

DESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as "Logjam".

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Sterling B2B Integrator 5.2
IBM Sterling File Gateway 2.2
Sterling Integrator 5.1
Sterling File Gateway 2.1

Remediation/Fixes

IBM® SDK Java or Oracle Java SE update is necessary since the following components use default ciphers from IBM® SDK Java or Oracle Java SE:

· Dashboard and all other UIs

· JMS 1.1 adapter and service

· SMTP Send adapter

· B2B Mail Client adapter

See the following tables for upgrading IBM® SDK Java or Oracle Java SE.

After upgrading, you must stop and restart Sterling B2B Integrator in order for new IBM® SDK Java or Oracle Java SE to take effect.

Product & Version
Remediated Fix
Sterling Integrator 5.1 or
Sterling File Gateway 2.1
    1. Upgrade Sterling Integrator to Build 5104.

    2. Go to the Fix Central for IBM Java fixes to download IBM® SDK Java™ Technology Edition, Version 6 Service Refresh 16 Fix Pack 5 and subsequent releases.

    For Solaris and HP-UX, refer to the Java vendor to find the appropriate version that addresses
    Logjam vulnerability.

    3. Make configuration changes as specified in the Workarounds and Mitigations section below.

IBM Sterling B2B Integrator 5.2 or
IBM Sterling File Gateway 2.2
    1. Upgrade Sterling B2B Integrator to V5.2.5.0

    2. Go to the Fix Central for IBM Java fixes to download IBM® SDK Java™ Technology Edition, Version 7 Service Refresh 9 Fix Pack 1 and subsequent releases.

    3. Make configuration changes specified in the Workarounds and Mitigations section below.

Workarounds and Mitigations

After you upgrade IBM® SDK Java or Oracle Java SE, you must make the following configuration change, since some components don’t use default ciphers from IBM® SDK Java or Oracle Java SE. The following table provides instructions on how to make configuration changes. After making the necessary changes, you must stop and restart Sterling B2B Integrator in order for these changes to take effect.

If you use:Then do this:
Communications adapters (FTP Client, FTP Server, HTTP Client, HTTP Server)If you have overridden WeakCipherSuite, StrongCipherSuite, AllCipherSuite and JDKCipherSuite in security.properties or customer_overrides.properties and included a DH or DHE cipher in the list, remove DH or DHE cipher. This applies to all SSL usage in perimeter server.
Connect:Direct Sever adapter or Connect:Direct Request adapterYou should use strong ciphers in the configuration for adapters and services and should not use the cipher with DH and DHE. Review all CDSA configurations to verify that DH and DHE are not in use.

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Reported to IBM by The WeakDH team at https://weakdh.org

Change History

10 June 2015: Original version published
7 July 2015: Added Remediation/Fixes and updated Workarounds and Mitigations

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF025","label":"Platform Independent"}],"Version":"5.2;5.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21959548