IV68044: POODLE 2 PAD BYTE ENFORCEMENT

IBM Tivoli Monitoring 6.3.0 Fix Pack 5 (6.3.0-TIV-ITM-FP0005)
IBM Tivoli Monitoring Basic Services Vulnerability (IV94012)

APAR status

• Closed as program error.

Error description

• This is code remediation for the Poodle 2 vulnerabiliry
  

Local fix

• n/a
  

Problem summary

• Vulnerability in TLS affects IBM Tivoli Monitoring
  (CVE-2014-8730)
  
  A new variant of the Padding Oracle On Downgraded Legacy
  Encryption (POODLE) attack for TLS may affect IBM Tivoli
  Monitoring (ITM).
  

Problem conclusion

• Use of TLS pad bytes has been fortified in the IBM Tivoli
  Monitoring Server.
  
  
  NOTE:
  Once IV68044 has been installed on a management server, older
  agents running IBM Tivoli Monitoring 6.2.1 and 6.2.0 shared
  components  will not able able to connect.
  
  If an agent is running with IBM GSKit  Security Interface
  7.3.x.x or lower (component GS) , it will not longer be able to
  connect to a management server once IV68044 provisional or 6.3.0
  FP5 has been installed, due to APAR IV68044.  This is because
  the older GSKit version only supports SSL and APAR IV68044
  disables the use of SSL.   The IBM TIvoli Monitoring GSKit
  version needs to be at 7.4 or later.
  
  To address the issue:
  
  - If the agent is an OS agent, upgrade the agent to 6.22 or
    above.  Recommend 6.22 FP9, 6.23 FP5, or 6.30 FP4
    This will update the shared components, including GSKit to the
    level required.  This will also upgrade the OS agent.
  
  - OR -
  
  - If the agent is a non-OS agent or do not wish to upgrade the
    OS agent, then just the shared components on the agent system
    can be upgrade to 6.22 FP9 or  6.23 FP5.
  
    Note:  You cannot upgrade the shared components to 6.30 or
    higher if the OS agent is less than 6.30.
  
    The agent will remain at at the same version.  This will
    update the shared components (GSKit, shared libraries, Java).
  
    To upgrade just the shared components on a system, it can be
    done using local install (install.sh) or remote deploy
    (updateframework).  This technote includes more details:
    http://www-01.ibm.com/support/docview.wss?uid=swg21673490
  
    Note that to use the remote deploy option, the shared
    components on the agent needs to be updated before IV68044
    provisional or 6.3.0 FP5 is installed on the management
    server so the agent can still connect for the installation.
  
    If the APAR has been installed via a provisional, then the
    APAR can be temporarily removed from the management server so
    the agent  machine(s) can connect.  Once the shared
    components have been updated, then the APAR can be
    re-installed.
  
  
  The fix for this APAR is contained in the following maintenance
  packages:
  
    | fix pack | 6.3.0-TIV-ITM-FP0005
    | provisional | 6.3.0-TIV-ITM-FP0004-IV68044
    | provisional | 6.2.3-TIV-ITM-FP0005-IV68044
    | provisional | 6.2.2-TIV-ITM-FP0009-IV68044
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  TEMS

• Fixed component ID

  5724C04MS

Applicable component levels

• R630 PSY

     UP