Security Bulletin
Summary
The Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects IBM Infosphere BigInsights.
Vulnerability Details
CVEID: CVE-2015-4000
DESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as "Logjam".
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM InfoSphere BigInsights 1.1.0, 1.2.0, 1.3.0,1.4.0, 2.0, 2.1, 2.1.2, 3.0, 3.0.0.1, 3.0.0.2, 4.0
Remediation/Fixes
Update JVM as a fix for all affected releases of BigInsights.
Workarounds and Mitigations
For BI 3.x or earlier
- Upgrade to a Java version that corrects the vulnerability
To obtain a fix pack, go to http://www.ibm.com/developerworks/java/jdk/linux/download.html and download an updated edition of Java for Linux, Platform: 64-bit AMD/Opteron/EM64T
BigInsights products use:
- IBM SDK, Java Technology Edition, Version 7, Release 1, Service Refresh 3, Fix Pack 1
- IBM SDK, Java Technology Edition, Version 7, Service Refresh 9, Fix Pack 1
- IBM SDK, Java Technology Edition, Version 6.0.1 (J9 VM2.6), Service Refresh 8, Fix Pack 5
- IBM SDK, Java Technology Edition, Version 6, Service Refresh 16, Fix Pack 5
Java SE Version 7 for BI 3.x
2. To confirm that vulnerability does not exist
After updating the Java version
- Enable https and configure with self created certificate
- Using Firefox 38.0.1. ESR or later, you will not see an error similar to the attachment:
check_if_vulnerable.png
For BI 4.0
Knox
- Upgrade to openjdk java version "1.7.0_79" (critical security upgrade)
- yum install java-1.7.0-openjdk-devel java-1.7.0-openjdk
- java.home=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.79.x86_64
4. Backup your script, /usr/iop/current/knox-server/bin/gateway.sh
5. Update /usr/iop/current/knox-server/bin/gateway.sh with "gateway.sh"
gateway.sh6. Re-start Knox server from Ambari
Ambari
If only using ambari-server setup-security to set SSL self signed (non CA certificate), follow these steps:
- From Ambari server node command line, run: "ambari-server stop"
- Backup your script, /var/lib/ambari-agent/ambari-env.sh
- Upgrade to openjdk java version "1.7.0_79" (critical security upgrade)
- Update /var/lib/ambari-agent/ambari-env.sh with "ambari-env.sh"
ambari-env.sh - Start Ambari server, run: "ambari-server start"
Get Notified about Future Security Bulletins
References
Change History
22 July 2015: Original Version Published
30 July 2015: Updated Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
18 July 2020
UID
swg21961697