IBM Support

PM04483: CVE-2009-3555: TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR11

Downloadable files


Abstract

CVE-2009-3555: TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR11

Download Description

ERROR DESCRIPTION:

CVE-2009-3555: TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR11

Versions affected:

IBM WebSphere Application Server (WSAS) Versions 6.1 through 6.1.0.x. A seperate APAR and a fix will be available for WSAS V6.0.2x. This does not occur on WSAS Versions 7.0 or later.

NOTE: The SDK code base used for building this fix is:
WSAS SDK V6.1.0.29 - 1.5.0 Java Technology Edition SR11

The fix can be applied to any version of WSAS V6.1.0.x but it should be noted that applying this fix will update your SDK level to V6.1.0.29 plus this APAR fix to resolve TLS problem. The WSAS level will remain unchanged after applying this fix.

LOCAL FIX:
None

PROBLEM SUMMARY
TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR11

USERS AFFECTED:
All users of IBM WebSphere Application Server V6.1

PROBLEM DESCRIPTION:

All customers using WebSphere Application Server relying on Secure Socket Layer v3 (SSLv3) or any of the multiple versions of Transport Layer Security (TLS) in support of secure communications between a client and server or between server and server are impacted by a recently discovered weakness in the TLS and SSLv3 protocols. SSLv2 is not affected.

The TLS/SSL weakness exists in multiple implementations of the Transport Layer Security (TLS) protocol, including SSL.

RECOMMENDATION:

To address the weakness in the TLS/SSL handshake renegotiation, IBM, along with the other members in the Industry Consortium for the Advancement of Security on the Internet (ICASI), are working together with the Internet Engineering Task Force (IETF) to enhance and strengthen the handshake renegotiation protocol in the TLS specification. This effort will take some time to complete. The delivery outlook for inclusion of this enhanced handshake renegotiation capability in TLS protocol implementations is unknown at this time.

In the interim, WebSphere Application Server is delivering this APAR to allow an installation to disable the TLS handshake renegotiation. The TLS handshake renegotiation is rarely used. Disabling the TLS handshake renegotiation will block a remote attacker from attempting to exploit the weakness in the TLS protocol. After installing this fix, the default setting will disable the TLS handshake renegotiation. The fix also provides an option to re-enable renegotiation if warranted. TLS handshake renegotiation should be re-enabled only if absolutely necessary and with a clear understanding and acceptance of the potential security risks.

IBM Java Secure Socket Extensions (JSSE) includes TLS support. If your Java application uses JSSE for secure communication, you can disable TLS renegotiation by installing this APAR. After installing this APAR, the following properties are added:

com.ibm.jsse2.renegotiate=[ALL | NONE | ABBREVIATED]
ALL: allow both abbreviated and unabbreviated (full) renegotiation handshakes.
NONE: allow no renegotiation handshakes. This option is the new default setting.
ABBREVIATED: allow only abbreviated renegotiation handshakes.

PROBLEM CONCLUSION:
The iFix is built on SDK 1.5 SR11. However, this SDK iFix can be applied to any SDK 1.5 SR11 and lower. By doing so, the SDK will be replaced with SDK 1.5 SR11 + this iFix

URL LANGUAGE SIZE(Bytes)
Update installer English 7250000

URL LANGUAGE SIZE(Bytes)
readme English 4798

Download package



Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is Fix Central(FC)?
What is DD?
AIX 32-bit Power PC Java SDK 1/21/2010 English 64500359 FC FTP DD
AIX 64-bit Power PC Java SDK 1/21/2010 English 64950743 FC FTP DD
HP-UX 64-bit Intel Itanium Java SDK 1/21/2010 English 70107887 FC FTP DD
HP-UX 32-bit HP PA-RISC Java SDK 1/21/2010 English 55503712 FC FTP DD
Linux 32-bit i/p Series Java SDK 1/21/2010 English 70242904 FC FTP DD
Linux 64-bit i/p Series Java SDK 1/21/2010 English 68404863 FC FTP DD
Linux 32-bit S/390 1/21/2010 English 64043714 FC FTP DD
Linux 64-bit S/390 1/21/2010 English 64055259 FC FTP DD
Linux 32-bit x86 AMD/Intel Java SDK 1/21/2010 English 62409007 FC FTP DD
Linux 64-bit x86 AMD/Intel Java SDK 1/21/2010 English 64228619 FC FTP DD
Solaris 32-bit SPARC 1/21/2010 English 54081829 FC FTP DD
Solaris 64-bit SPARC 1/21/2010 English 67487430 FC FTP DD
Solaris 64-bit x86 1/21/2010 English 55788646 FC FTP DD
Win 32-bit x86 AMD/Intel Java SDK 1/21/2010 English 75135786 FC FTP DD
Win 64-bit x86 AMD/Intel Java SDK 1/21/2010 English 70058995 FC FTP DD

Problems (APARS) fixed
PM00483

Document information

More support for: WebSphere Application Server
Java SDK

Software version: 6.1, 6.1.0.1, 6.1.0.3, 6.1.0.5, 6.1.0.7, 6.1.0.9, 6.1.0.11, 6.1.0.13, 6.1.0.15, 6.1.0.17, 6.1.0.19, 6.1.0.21, 6.1.0.23, 6.1.0.25, 6.1.0.27, 6.1.0.29

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Software edition: Base, Network Deployment

Reference #: 4025718

Modified date: 22 January 2010


Translate this page: