IBM Support

IT08243: VULNERABILITY IN RC4 COMPONENT AFFECT STERLING CONNECT:DIRECT FOR WINDOWS (CVE-2015-2808)

Direct links to fixes

4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if010
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if005
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if012
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if015
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if017
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if015
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if020
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if022
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if028
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004-if007
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if008
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004-if016
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if009
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if013
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if015
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if018
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004-if023
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if006
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if013
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if016
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if025
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if005
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if006
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if012
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if001
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if009
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if016
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if018
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if021
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if023
Sterling Connect:Direct for Microsoft Windows 4.6.0 Fix Packs

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The Bar Mitzvah Attack exploits a previously known
vulnerability in the RC4 component of the SSL/TLS communication
protocols. This exploit allows the attacker to partially
decrypt information sent between two computer systems across a
network.
IBM Sterling Connect:Direct for Microsoft Windows can use
SSL/TLS communication and therefore is vulnerable.

Local fix

  • STRRTC - 462325
VF / VF
Circumvention: None

Problem summary

  • Users Affected:
Sterling Connect:Direct for Windows 4.5.00
Sterling Connect:Direct for Windows 4.5.01
Sterling Connect:Direct for Windows 4.6.0
Sterling Connect:Direct for Windows 4.7.0

Problem Description:
CBC ciphers are vulnerable to CVE-2011-3389 (BEAST Attack).
Previous recommendation to mitigate CVE-2011-3389 was to not
use CBC ciphers. RC4 ciphers are vulnerable to CVE-2015-2808
(Bar Mitzvah Attack). Current recommendation to mitigate
CVE-2015-2808 is to discontinue use of RC4 ciphers. However,
the remaining available ciphers are generally CBC ciphers.

Platforms Affected:
Windows

Problem conclusion

  • Resolution Summary:
Fixed code to mitigate CVE-2011-3389 (BEAST Attack).
Recommendation:
Sterling Connect:Direct for Microsoft Windows by default
disables the RC4 stream cipher. If you enabled the RC4 stream
cipher you are exposed to the RC4  Bar Mitzvah  Attack
for SSL/TLS. IBM recommends that you review your entire
environment to identify other areas where you have enabled the
RC4 stream cipher and take appropriate mitigation and
remediation actions.

Delivered In:
Sterling Connect:Direct for Windows 4.5.00 Patch 056
Sterling Connect:Direct for Windows 4.5.01 Patch 022
Sterling Connect:Direct for Windows 4.6.0.5_iFix010
Sterling Connect:Direct for Windows 4.7.0.3_iFix004

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT08243
    • 

  • Reported component name
    STR CD FOR WIND
    • 

  • Reported component ID
    5725C9908
    • 

  • Reported release
    460
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-04-13
    • 

  • Closed date
    2015-04-23
    • 

  • Last modified date
    2015-04-23
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    STR CD FOR WIND
    • 

  • Fixed component ID
    5725C9908
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRRVY","label":"Sterling Connect:Direct for Microsoft Windows"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.6","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            25 August 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback