IBM Support

PM04544:CVE-2009-3555:TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.4.2 SR13-FP2

Download


Abstract

CVE-2009-3555: TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.4.2 SR13-FP2

Download Description

ERROR DESCRIPTION:

CVE-2009-3555: TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.4.2 SR13-FP2



Versions affected:

IBM WebSphere Application Server Versions (WSAS) 6.0.2.x. Separate APARs PM04482 and PM04483 will be available for WSAS V6.1.0.x. This does not occur on WSAS Versions 7.0 or later.

NOTE: The SDK code base used for building this fix is:
WSAS SDK V6.0.2.39 (1.4.2 SR13 FP2)

The fix can be applied to any version of WSAS V6.0.2.x but, it should be noted that applying this fix will update your WSAS SDK to V6.0.2.39 (1.4.2 SR13 FP2) plus this APAR fix to resolve the TLS problem. The WSAS level will remain unchanged after applying this fix.

LOCAL FIX:
None

PROBLEM SUMMARY:
TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.4.2 SR13-FP2

USERS AFFECTED:
All users of IBM WebSphere Application Server V6.0.2

PROBLEM DESCRIPTION:

All customers using WebSphere Application Server relying on Secure Socket Layer v3 (SSLv3) or any of the multiple versions of Transport Layer Security (TLS) in support of secure communications between a client and server or between server and server are impacted by a recently discovered weakness in the TLS and SSLv3 protocols. SSLv2 is not affected.

The TLS/SSL weakness exists in multiple implementations of the Transport Layer Security (TLS) protocol, including SSL.

RECOMMENDATION:

To address the weakness in the TLS/SSL handshake renegotiation, IBM, along with the other members in the Industry Consortium for the Advancement of Security on the Internet (ICASI), are working together with the Internet Engineering Task Force (IETF) to enhance and strengthen the handshake renegotiation protocol in the TLS specification. This effort will take some time to complete. The delivery outlook for inclusion of this enhanced handshake renegotiation capability in TLS protocol implementations is unknown at this time.

In the interim, WebSphere Application Server is delivering this APAR to allow an installation to disable the TLS handshake renegotiation. The TLS handshake renegotiation is rarely used. Disabling the TLS handshake renegotiation will block a remote attacker from attempting to exploit the weakness in the TLS protocol. After installing this fix, the default setting will disable the TLS handshake renegotiation. The fix also provides an option to re-enable renegotiation if warranted.

TLS handshake renegotiation should be re-enabled only if absolutely necessary and with a clear understanding and acceptance of the potential security risks.

IBM Java Secure Socket Extensions (JSSE) includes TLS support. If your Java application uses JSSE for secure communication, you can disable TLS renegotiation by installing this APAR. After installing this APAR, the following properties are added:

com.ibm.jsse2.renegotiate=[ALL | NONE | ABBREVIATED]
ALL: allow both abbreviated and unabbreviated (full) renegotiation handshakes.
NONE: allow no renegotiation handshakes. This option is the new default setting.
ABBREVIATED: allow only abbreviated renegotiation handshakes.

PROBLEM CONCLUSION:
The iFix is built on SDK 1.4.2 SR13-FP2. However, this SDK iFix can be applied to any SDK 1.4.2 SR13-FP2 and lower. By doing so, the SDK will be replaced with SDK 1.4.2 SR13-FP2 + this iFix

[{"PRLabel":"Update installer","PRLang":"English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www-01.ibm.com/support/docview.wss?uid=swg21205991"}]
[{"INLabel":"readme","INLang":"English","INSize":"4694","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/readme.txt"}]
On
[{"DNLabel":"AIX 32-bit Power PC Java SDK","DNDate":"1/25/2010","DNLang":"English","DNSize":"92098160","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-AixPPC32-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-AixPPC32-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-AixPPC32-IFPM04544.pak"},{"DNLabel":"AIX 64-bit Power PC Java SDK","DNDate":"1/25/2010","DNLang":"English","DNSize":"47221182","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-AixPPC64-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-AixPPC64-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-AixPPC64-IFPM04544.pak"},{"DNLabel":"HP-UX 32-bit HP PA-RISC Java SDK","DNDate":"1/25/2010","DNLang":"English","DNSize":"102361000","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-HpuxPaRISC-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-HpuxPaRISC-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-HpuxPaRISC-IFPM04544.pak"},{"DNLabel":"HP-UX 64-bit Intel Itanium Java SDK","DNDate":"1/25/2010","DNLang":"English","DNSize":"49029409","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-HpuxIA64-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-HpuxIA64-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-HpuxIA64-IFPM04544.pak"},{"DNLabel":"Linux 32-bit i/p Series Java SDK","DNDate":"1/25/2010","DNLang":"English","DNSize":"128232548","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-LinuxPPC32-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxPPC32-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxPPC32-IFPM04544.pak"},{"DNLabel":"Linux 64-bit i/p Series Java SDK","DNDate":"1/25/2010","DNLang":"English","DNSize":"62212555","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-LinuxPPC64-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxPPC64-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxPPC64-IFPM04544.pak"},{"DNLabel":"Linux 32-bit S/390","DNDate":"1/25/2010","DNLang":"English","DNSize":"107667183","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-LinuxS390-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxS390-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxS390-IFPM04544.pak"},{"DNLabel":"Linux 64-bit S/390","DNDate":"1/25/2010","DNLang":"English","DNSize":"56707958","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-LinuxS390_64-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxS390_64-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxS390_64-IFPM04544.pak"},{"DNLabel":"Linux 32-bit x86 AMD/Intel Java SDK","DNDate":"1/25/2010","DNLang":"English","DNSize":"127935035","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-LinuxX32-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxX32-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxX32-IFPM04544.pak"},{"DNLabel":"Linux 64-bit x86 AMD/Intel Java SDK","DNDate":"1/25/2010","DNLang":"English","DNSize":"56102792","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-LinuxAMD64-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxAMD64-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-LinuxAMD64-IFPM04544.pak"},{"DNLabel":"Solaris 32-bit SPARC","DNDate":"1/25/2010","DNLang":"English","DNSize":"81652049","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-SolarisSparc-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-SolarisSparc-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-SolarisSparc-IFPM04544.pak"},{"DNLabel":"Win 32-bit x86 AMD/Intel Java SDK","DNDate":"1/25/2010","DNLang":"English","DNSize":"156555135","DNPlat":{"label":"Windows","code":"PF033"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-WinX32-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-WinX32-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-WinX32-IFPM04544.pak"},{"DNLabel":"Win 64-bit x86 AMD/Intel Java SDK","DNDate":"1/25/2010","DNLang":"English","DNSize":"54443287","DNPlat":{"label":"Windows","code":"PF033"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.X-WS-WASJavaSDK-WinAMD64-IFPM04544&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-WinAMD64-IFPM04544.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04544/6.0.2.X-WS-WASJavaSDK-WinAMD64-IFPM04544.pak"}]
[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Java SDK","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.0.2.9;6.0.2.7;6.0.2.5;6.0.2.39;6.0.2.37;6.0.2.35;6.0.2.33;6.0.2.31;6.0.2.3;6.0.2.29;6.0.2.27;6.0.2.25;6.0.2.23;6.0.2.21;6.0.2.19;6.0.2.17;6.0.2.15;6.0.2.13;6.0.2.11;6.0.2.1;6.0.2","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24025742