IBM Support

Security Bulletin: Vulnerability in RC4 stream cipher affects InfoSphere BigInsights (CVE-2015-2808)

Security Bulletin


Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects InfoSphere BigInsights.

Vulnerability Details

CVEID: CVE-2015-2808

DESCRIPTION:
The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack".

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Customers who have Secure Sockets Layer (SSL) support enabled for any of the BigInsights components.

IBM InfoSphere BigInsights 2.0, 2.1, 2.1.2, 3.0, 3.0.0.1, 3.0.0.2, 4.0

Remediation/Fixes

For versions 2.1.2, 2.1, and 2.0: Apply the Interim fix which will remove RC4 cipher suites from the default list of enabled cipher suites. After downloading the BigInsights IBM Java version 1.6 Service Refresh 16 Fix Pack 3 from fixcentral perform the following steps to replace the default JDK as BigInsights Administrator:

Steps below assume that the new JDK is ibm-java-sdk-6.0-16.3-linux-x86_64.tgz, and the current JDK is ibm-java-sdk-6.0-12.0-linux-x86_64.tgz. Replace the file names with the version of the new JDK for your platform and with the current version installed on your system.

  1. Stop InfoSphere BigInsights: $BIGINSIGHTS_HOME/bin/stop-all.sh
  2. Upload the new IBM JDK to console node in the $BIGINSIGHTS_HOME directory
  3. Run the following commands on the BigInsights console node:
    • cd $BIGINSIGHTS_HOME
    • mv jdk/ jdk_orig
    • sudo chmod 777 ibm-java-sdk-6.0-16.3-linux-x86_64.tgz
    • sudo chown biadmin:biadmin ibm-java-sdk-6.0-16.3-linux-x86_64.tgz
    • tar zxvf ibm-java-sdk-6.0-16.3-linux-x86_64.tgz
    • mv ibm-java-x86_64-60 jdk
    • mv $BIGINSIGHTS_HOME/hdm/jdk $BIGINSIGHTS_HOME/hdm/jdk_orig
    • cp -r $BIGINSIGHTS_HOME/jdk $BIGINSIGHTS_HOME/hdm/
  4. Run the following command from console node against all other nodes in the cluster ( node is the name of the non-console node)
    • ssh node "mv $BIGINSIGHTS_HOME/jdk $BIGINSIGHTS_HOME/jdk_orig"
    • scp -r $BIGINSIGHTS_HOME/jdk node:$BIGINSIGHTS_HOME/
  5. Run the following commands on the console node:
    • cd $BIGINSIGHTS_HOME/hdm/artifacts
    • mv ibm-java-sdk-6.0-12.0-linux-x86_64.tgz ibm-java-sdk-6.0-12.0-linux-x86_64.tgz_orig
    • cp $BIGINSIGHTS_HOME/ibm-java-sdk-6.0-16.3-linux-x86_64.tgz ibm-java-sdk-6.0-12.0-linux-x86_64.tgz
    • cd $BIGINSIGHTS_HOME/hdm/todeploy
    • mv jdk.tar.gz jdk.tar.gz_orig
    • mv jdk.tar.gz.cksum jdk.tar.gz.cksum_orig
    • syncconf.sh
    • cp jdk.tar.gz.cksum $BIGINSIGHTS_HOME/jdk/.deploy.cksum
    • For each node ( where node is the name of the non-console node) :
      • scp $BIGINSIGHTS_HOME/jdk/.deploy.cksum node:$BIGINSIGHTS_HOME/jdk/.deploy.cksum
  6. Sync configuration, and restart the BigInsights:
    $BIGINSIGHTS_HOME/bin/sysncconf.sh
    $BIGINSIGHTS_HOME/bin/start-all.sh
    $BIGINSIGHTS_HOME/bin/healthcheck.sh

For other versions affected by this vulnerability, follow the instuctions in the mitigation section.

Workarounds and Mitigations

This vulnerability can be mitigated by disabling RC4 in the IBM Java security file, and enable FIPS mode in the LDAP security plugin-in configuration file for Big SQL.

For versions 3.0, 3.0.0.1, 3.0.0.2

Follow the mitigation instruction below as BigInsights Administrator to disable RC4 in IBM Java:

  1. Stop InfoSphere BigInsights: $BIGINSIGHTS_HOME/bin/stop-all.sh
  2. On console node update the java.security file to turn off RC4
    • Locate the java.security file on console node under $BIGINSIGHTS_HOME/hdm/jdk/jre/lib/security/java.security
    • Edit the java.security file and turn off RC4 by adding: jdk.tls.disabledAlgorithms=SSLv3,RC4   
  3. Recreate jdk.tar.gz to include the new version of the java.security file on the console node
    • cd $BIGINSIGHTS_HOME/hdm/todeploy
    • mv jdk.tar.gz jdk.tar.gz.orig
    • mv jdk.tar.gz.cksum jdk.tar.gz.cksum.orig
    • syncconf.sh
    • cp $BIGINSIGHTS_HOME/hdm/todeploy/jdk.tar.gz.cksum $BIGINSIGHTS_HOME/jdk/.deploy.cksum
  4. Run the following command from console node against all other nodes in the cluster ( node is the name of the non-console node)
    • ssh node mv $BIGINSIGHTS_HOME/jdk/.deploy.cksum $BIGINSIGHTS_HOME/jdk/.deploy.cksum.orig
    • scp $BIGINSIGHTS_HOME/jdk/.deploy.cksum node:$BIGINSIGHTS_HOME/jdk/.deploy.cksum
  5. On each node:
    • Locate the java.security file used by the BigInsights: $BIGINSIGHTS_HOME/jdk/jre/lib/security/java.security
    • Edit the java.security file and turn off RC4 by adding: jdk.tls.disabledAlgorithms=SSLv3,RC4
  6. Restart BigInsights: $BIGINSIGHTS_HOME/bin/start-all.sh


For versions 3.0, 3.0.0.1, 3.0.0.2, and 4.0

Customers who have Secure Sockets Layer (SSL) support enabled in their client configuration using LDAP security plug-in to communicate with LDAP server for Big SQL should follow the instructions below to mitigate the problem. SSL support is not enabled in LDAP security plug-in by default.

Mitigation instructions:

Customers should enable FIPS mode in LDAP security plugin-in as follows:

  1. As the Big SQL instance owner, open up the LDAP security plugin-in configuration file The default name and location for the IBM LDAP security plug-in configuration file is:
    • "BIGSQL_HOME/sqllib/cfg/IBMLDAPSecurity.ini .
    • Optionally, it could be resided in the location defined by the DB2LDAPSecurityConfig environment variable
  2. Search for the FIPS_MODE configuration parameter in the file and change its value to true. Save and close the file.
    • ; FIPS_MODE
      ; To set SSL encryption FIPS mode on or off.
      ; Optional; Valid values are true (on) and false (off). Defaults to
      ; false (FIPS mode off).
      FIPS_MODE = true

Get Notified about Future Security Bulletins

References

Off

Change History

April 28, 2015: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSCRJT","label":"IBM Db2 Big SQL"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.0.0;2.1.0;2.1.1;2.1.2;3.0;3.0.0.2;4.0.0;3.0.0.1","Edition":"Enterprise Edition;Basic Edition;Community Edition;Quick Start Edition","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
08 April 2021

UID

swg21883618