Security Bulletin
Summary
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 6 and 7 that are used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in April 2015. This bulletin also addresses the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol (CVE-2015-4000).
OpenSSL is vulnerable to the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol (CVE-2015-4000). OpenSSL is used by the Progress Software DataDirect Connect ODBC drivers which are shipped as a component of IBM InfoSphere Information Server. The Progress Software DataDirect Connect ODBC drivers have addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2015-0478
DESCRIPTION:An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102339 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-0488
DESCRIPTION:An unspecified vulnerability related to the JSSE component could allow a remote attacker to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-1916
DESCRIPTION:Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101995 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2015-4000
DESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as "Logjam".
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
The following product, running on all supported platforms, is affected:
IBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, and 11.3
Remediation/Fixes
|
Product | VRMF | APAR | Remediation/First Fix |
| InfoSphere Information Server | 11.3 | JR53275 JR53677 | --Follow instructions in the README --Upgrade to DataDirect ODBC drivers version 7.1.5 --Use TechNote to choose which OpenSSL version the drivers will use --Use TechNote to follow additional post installation configuration steps |
| InfoSphere Information Server | 9.1 | JR53275 JR53677 | --Update your java.security file to add jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768 --Apply JR53275 on all tiers --Upgrade to DataDirect ODBC drivers version 7.1.5 --Use TechNote to choose which OpenSSL version the drivers will use --Use TechNote to follow additional post installation configuration steps |
| InfoSphere Information Server | 8.7 | JR53275 JR53677 | --Apply IBM InfoSphere Information Server version 8.7 Fix Pack 2 --Update your java.security file to add jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768 --Apply JR53275 on all tiers --Upgrade to DataDirect ODBC drivers version 7.1.5 --Use TechNote to choose which OpenSSL version the drivers will use --Use TechNote to follow additional post installation configuration steps |
| InfoSphere Information Server | 8.5 | JR53275 JR53677 | --Apply IBM InfoSphere Information Server version 8.5 Fix Pack 3 --Update your java.security file to add jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768 --Apply JR53275 on all tiers --Upgrade to DataDirect ODBC drivers version 7.1.5 --Use TechNote to choose which OpenSSL version the drivers will use --Use TechNote to follow additional post installation configuration steps |
For CVE-2015-4000:
1. As the length of the server key size is increased, the amount of CPU required for full TLS/SSL handshake can significantly increase. Please carefully test and assess the impact to your CPU requirements to ensure sufficient CPU resources, otherwise the system availability may be impacted.
2. You should verify that applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions.
For IBM InfoSphere Information Server version 8.1, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
Workarounds and Mitigations
If for any reason, all of the fixes listed above cannot be applied, CVE-2015-4000 may be mitigated as follows:
For the DataDirect ODBC drivers, in all InfoSphere Information Server releases, turn off the use of all DHE cipher suites in the DataDirect ODBC drivers. The list of cipher suites used by the drivers can be found at:
http://media.datadirect.com/download/docs/odbc/allodbc/help.html?_ga=1.236687233.1889495448.1411436493#page/reference/rfi1359986340742.html
The drivers have a hidden connection option named CipherList to control which cipher suites can be used by the driver. For information on the format of CipherList, refer to https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
For WebSphere Application Server, mitigation information can be found in the Security Bulletin http://www-01.ibm.com/support/docview.wss?uid=swg21957980.
For CVE-2015-4000:
1. As the length of the server key size is increased, the amount of CPU required for full TLS/SSL handshake can significantly increase. Please carefully test and assess the impact to your CPU requirements to ensure sufficient CPU resources, otherwise the system availability may be impacted.
2. You should verify that applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions.
Get Notified about Future Security Bulletins
References
Acknowledgement
CVE-2015-1916 was reported to IBM by Karthikeyan Bhargavan of the PROSECCO team at INRIA
CVE-2015-4000 was reported to IBM by The WeakDH team at https://weakdh.org
Change History
07 August 2015: Original Version Published
17 September 2015: Updated to include information on fixed DataDirect ODBC drivers
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
PSIRTs 54971 56838 WI 231681
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21961125