Direct links to fixes
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if010
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if005
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if012
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if015
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if017
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if015
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if020
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if022
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if028
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004-if007
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if008
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004-if016
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if009
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if013
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if015
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if018
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004-if023
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if006
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if013
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if016
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if025
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if005
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if006
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if012
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if001
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if009
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if016
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if018
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if021
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if023
Sterling Connect:Direct for Microsoft Windows 4.6.0 Fix Packs
APAR status
Closed as program error.
Error description
The Bar Mitzvah Attack exploits a previously known vulnerability in the RC4 component of the SSL/TLS communication protocols. This exploit allows the attacker to partially decrypt information sent between two computer systems across a network. IBM Sterling Connect:Direct for Microsoft Windows can use SSL/TLS communication and therefore is vulnerable.
Local fix
STRRTC - 462325 VF / VF Circumvention: None
Problem summary
Users Affected: Sterling Connect:Direct for Windows 4.5.00 Sterling Connect:Direct for Windows 4.5.01 Sterling Connect:Direct for Windows 4.6.0 Sterling Connect:Direct for Windows 4.7.0 Problem Description: CBC ciphers are vulnerable to CVE-2011-3389 (BEAST Attack). Previous recommendation to mitigate CVE-2011-3389 was to not use CBC ciphers. RC4 ciphers are vulnerable to CVE-2015-2808 (Bar Mitzvah Attack). Current recommendation to mitigate CVE-2015-2808 is to discontinue use of RC4 ciphers. However, the remaining available ciphers are generally CBC ciphers. Platforms Affected: Windows
Problem conclusion
Resolution Summary: Fixed code to mitigate CVE-2011-3389 (BEAST Attack). Recommendation: Sterling Connect:Direct for Microsoft Windows by default disables the RC4 stream cipher. If you enabled the RC4 stream cipher you are exposed to the RC4 Bar Mitzvah Attack for SSL/TLS. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. Delivered In: Sterling Connect:Direct for Windows 4.5.00 Patch 056 Sterling Connect:Direct for Windows 4.5.01 Patch 022 Sterling Connect:Direct for Windows 4.6.0.5_iFix010 Sterling Connect:Direct for Windows 4.7.0.3_iFix004
Temporary fix
Comments
APAR Information
APAR number
IT08243
Reported component name
STR CD FOR WIND
Reported component ID
5725C9908
Reported release
460
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-04-13
Closed date
2015-04-23
Last modified date
2015-04-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STR CD FOR WIND
Fixed component ID
5725C9908
Applicable component levels
Document Information
Modified date:
25 August 2023