Security Bulletin: Vulnerability in TLS affects IBM Tivoli Monitoring (CVE-2014-8730 )

Remediation/Fixes

Portal Server, Distrbitued Management Servers, and Distrbitued Agents

GSKit Remediation:

The following patches are provided to address the issue with TLS in common code that is shared across ITM components. The following patches should be installed on each portal server, distributed management server (hub and remote), and ITM distributed agent systems (unless the Service Console is disabled, see below):

• 6.30: Install 6.3.0-TIV-ITM-FP0004-IV68044
• 6.23: Install 6.2.3-TIV-ITM-FP0005-IV68044
• 6.22: Install 6.2.2-TIV-ITM-FP0009-IV68044 (prereqs 6.2.2-TIV-ITM-FP0009-IV56302 to get to correct GSKit version)
• 6.21/6.20: Upgrade to one of the versions above. Call support if unable to upgrade.

The following link contains information about accessing the patches above:
http://www.ibm.com/support/docview.wss?uid=swg24039203


NOTE: The fix for IV68044 supercedes and includes the fix for POODLE vulnerability in SSLv3 as addressed by APAR fix IV66217. Once the patch above for IV68044 is installed, the patch for IV66217 is not needed and should not be installed afterwards.


Distributed Agents
For agent systems, the patch above updates the IBM Tivoli Monitoring Shared Libraries (ax component on UNIX/Linux) or Tivoli Enterprise Monitoring Agent Framework (GL component on Windows). The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.

For Agents running on distributed environments, it is recommended to install the patch above. However, if that cannot be done, the Service Console can be disabled using the steps below to remediate the vulnerability.

NOTE: Disabling the service console using the steps below will result in the following functions to be disabled for that agent:

• SOAP requests
• tacmd commands
• dynamic trace

For this reason, HTTP_SERVER:N should be configured on agent endpoints ONLY and only if these functions are not needed by the user or agents installed on that system.

These these steps will need to be done for each agent and agent instance on the system.

Windows:

• From the MTEMS, right-click on the agent or agent instance and select Advanced..Edit Variables.
• Select KDC_FAMILIES. Add "HTTP_SERVER:N" to the beginning. For example,
HTTP_SERVER:N @Protocol@
Save the value.
• Restart the agent or agent instance.

UNIX/Linux::

• Update the <pc>.ini file and locate the line 'KDC_FAMILIES'. Add "HTTP_SERVER:N" to the front of the line. For example, if the default line looks like:
KDC_FAMILIES=$NETWORKPROTOCOL$
Change it to the following
KDC_FAMILIES=HTTP_SERVER:N $NETWORKPROTOCOL$
• For multi-instance agents, if the <pc>_<instance>.config file exists, edit it and locate the 'KDC_FAMILIES'. Add "HTTP_SERVER:N" to the front of the line. For example, if the default line looks like:
export KDC_FAMILIES='ip.pipe port:1918 ip.spipe use:n sna use:n ip use:n ip6.pipe use:n ip6.spipe use:n ip6 use:n'
Change it to the following:
export KDC_FAMILIES='HTTP_SERVER:N ip.pipe port:1918 ip.spipe use:n sna use:n ip use:n ip6.pipe use:n ip6.spipe use:n ip6 use:n'
• Restart the agent or agent instance

Java Remediation:

The following are the Fix Packs or patches that remediate Java:

• 6.30: Install 6.30 FP2 or later
• 6.23
• 6.23 through 6.23 FP3:
• Install 6.X.X-TIV-ITM_JRE_TEP_6.13.02.00 or later
• Install 6.X.X-TIV-ITM_JRE_CANDLEHOME_6.15.01.00
• 6.23 FP4 through 6.23 FP5:
• Install 6.X.X-TIV-ITM_JRE_CANDLEHOME_6.15.01.00
• 6.22
• Install 6.X.X-TIV-ITM_JRE_TEP_5.16.02.00 or later
• Install 6.X.X-TIV-ITM_JRE_CANDLEHOME_5.16.06.00
• 6.21/6.20: Upgrade to one of the versions above. Call support if unable to upgrade.

For distributed agent systems, the CANDLEHOME patches above update the shared Tivoli Enterprise-supplied JRE (jr component on UNIX/Linux) or Embedded JVM (JVM component on Windows). The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.

Portal server - IBM HTTP Server (IHS)

1. In order to resolve the vulnerability, IHS must be upgraded to the following versions:

IBM Tivoli Monitoring 623 - IHS version 7.0.0.33
IBM Tivoli Monitoring 630 - IHS version 8.0.0.9

Follow the instructions for upgrading the IBM HTTP Server in the following SMC blog post:

https://www.ibm.com/developerworks/community/blogs/0587adbc-8477-431f-8c68-9226adea11ed/entry/apply_maintenance_to_the_ibm_http_server_installed_with_ibm_tivoli_monitoring?lang=en

2. Stop the portal server.

3. Edit the IHS configuration file:

Windows: <install_dir>\IHS\conf\httpd.conf
Linux/UNIX, 623: <install_dir>/<arch>/iu/ihs/conf/httpd.conf
Linux/UNIX, 630: <install_dir>/<arch>/iu/ihs/HTTPServer/conf/httpd.conf

4. Find the virtual host section that configures HTTPS. It will be similar to that shown below. Note that if you have changed the HTTPS port to a value other than the default 15201, the port number will be different than shown below:

<VirtualHost *:15201>
DocumentRoot "/opt/IBM/ITM/lx8266/cw/"
SSLEnable
SSLProtocolDisable SSLv2
SSLProtocolDisable SSLv3
SSLProtocolEnable TLSv10
SSLProtocolEnable TLSv11
SSLProtocolEnable TLSv12
ErrorLog "/opt/IBM/ITM/lx8266/iu/ihs/HTTPServer/logs/sslerror.log"
TransferLog "/opt/IBM/ITM/lx8266/iu/ihs/HTTPServer/logs/sslaccess.log"
KeyFile "/opt/IBM/ITM/keyfiles/keyfile.kdb"
SSLStashfile "/opt/IBM/ITM/keyfiles/keyfile.sth"
SSLServerCert IBM_Tivoli_Monitoring_Certificate
</VirtualHost>

5. Add the following parameter after the SSLEnable parameter:

SSLAttributeSet 471 1

6. Restart the portal server.

Portal Server Communication with Portal Clients:

Portal Server Communication with Portal Clients when configured to use SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true:
- HTTPS is not being used

- applet.html file does not have the tep.connection.protocol=http or https AND
- tep.jnlp file does not have tep.connection.protocol=https

- the KFW_INTERFACE_cnps_SSL is set to "Y" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)

Fix	VMRF	Remediation/First Fix
6.3.0-TIV-ITM-FP0005-IV74486	6.3.0	http://www.ibm.com/support/docview.wss?uid=swg24040448
6.2.3-TIV-ITM-FP0005-IV74486	6.2.3	http://www.ibm.com/support/docview.wss?uid=swg24040448
6.2.2-TIV-ITM-FP0009-IV74486	6.2.2	http://www.ibm.com/support/docview.wss?uid=swg24040448
6.3.0-TIV-ITM-FP0006	6.3.0.x	http://www.ibm.com/support/docview.wss?uid=swg24040390 Check link for status on availability.

For IBM Tivoli Monitoring 6.2.0 and 6.2.1, IBM recommends upgrading to a fixed, supported version/release of the product as listed above.

You should verify applying this fix does not cause any compatibility issues.

Situation Update Forwarder (SUF)

One of the following versions of SUF should be installed to remediate the vulnerability for POODLE for both TLS and SSLv3:

• Situation Update Forwarder 6.23 FP5 + 6.2.3.TIV-ITM-FP0005-IV66139
• Situation Update Forwarder 6.30 FP3 + 6.2.3.TIV-ITM-FP0005-IV66139
• Situation Update Forwarder 6.30 FP4

Note: The version of SUF should match or be higher than the management server(s) it connects to send event information.