Fixes are available
APAR status
Closed as program error.
Error description
This is code remediation for the Poodle 2 vulnerabiliry
Local fix
n/a
Problem summary
Vulnerability in TLS affects IBM Tivoli Monitoring (CVE-2014-8730) A new variant of the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack for TLS may affect IBM Tivoli Monitoring (ITM).
Problem conclusion
Use of TLS pad bytes has been fortified in the IBM Tivoli Monitoring Server. NOTE: Once IV68044 has been installed on a management server, older agents running IBM Tivoli Monitoring 6.2.1 and 6.2.0 shared components will not able able to connect. If an agent is running with IBM GSKit Security Interface 7.3.x.x or lower (component GS) , it will not longer be able to connect to a management server once IV68044 provisional or 6.3.0 FP5 has been installed, due to APAR IV68044. This is because the older GSKit version only supports SSL and APAR IV68044 disables the use of SSL. The IBM TIvoli Monitoring GSKit version needs to be at 7.4 or later. To address the issue: - If the agent is an OS agent, upgrade the agent to 6.22 or above. Recommend 6.22 FP9, 6.23 FP5, or 6.30 FP4 This will update the shared components, including GSKit to the level required. This will also upgrade the OS agent. - OR - - If the agent is a non-OS agent or do not wish to upgrade the OS agent, then just the shared components on the agent system can be upgrade to 6.22 FP9 or 6.23 FP5. Note: You cannot upgrade the shared components to 6.30 or higher if the OS agent is less than 6.30. The agent will remain at at the same version. This will update the shared components (GSKit, shared libraries, Java). To upgrade just the shared components on a system, it can be done using local install (install.sh) or remote deploy (updateframework). This technote includes more details: http://www-01.ibm.com/support/docview.wss?uid=swg21673490 Note that to use the remote deploy option, the shared components on the agent needs to be updated before IV68044 provisional or 6.3.0 FP5 is installed on the management server so the agent can still connect for the installation. If the APAR has been installed via a provisional, then the APAR can be temporarily removed from the management server so the agent machine(s) can connect. Once the shared components have been updated, then the APAR can be re-installed. The fix for this APAR is contained in the following maintenance packages: | fix pack | 6.3.0-TIV-ITM-FP0005 | provisional | 6.3.0-TIV-ITM-FP0004-IV68044 | provisional | 6.2.3-TIV-ITM-FP0005-IV68044 | provisional | 6.2.2-TIV-ITM-FP0009-IV68044
Temporary fix
Comments
APAR Information
APAR number
IV68044
Reported component name
TEMS
Reported component ID
5724C04MS
Reported release
630
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-12-19
Closed date
2015-06-02
Last modified date
2015-06-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TEMS
Fixed component ID
5724C04MS
Applicable component levels
R630 PSY
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630"}]
Document Information
Modified date:
30 December 2022