PM04483: CVE-2009-3555: TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR11

Download

Abstract

CVE-2009-3555: TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR11

Download Description

ERROR DESCRIPTION:
CVE-2009-3555: TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR11

Versions affected:

IBM WebSphere Application Server (WSAS) Versions 6.1 through 6.1.0.x. A seperate APAR and a fix will be available for WSAS V6.0.2x. This does not occur on WSAS Versions 7.0 or later.

NOTE: The SDK code base used for building this fix is:
WSAS SDK V6.1.0.29 - 1.5.0 Java Technology Edition SR11

The fix can be applied to any version of WSAS V6.1.0.x but it should be noted that applying this fix will update your SDK level to V6.1.0.29 plus this APAR fix to resolve TLS problem. The WSAS level will remain unchanged after applying this fix.

LOCAL FIX:
None

PROBLEM SUMMARY
TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR11

USERS AFFECTED:
All users of IBM WebSphere Application Server V6.1

PROBLEM DESCRIPTION:

All customers using WebSphere Application Server relying on Secure Socket Layer v3 (SSLv3) or any of the multiple versions of Transport Layer Security (TLS) in support of secure communications between a client and server or between server and server are impacted by a recently discovered weakness in the TLS and SSLv3 protocols. SSLv2 is not affected.

The TLS/SSL weakness exists in multiple implementations of the Transport Layer Security (TLS) protocol, including SSL.

RECOMMENDATION:

To address the weakness in the TLS/SSL handshake renegotiation, IBM, along with the other members in the Industry Consortium for the Advancement of Security on the Internet (ICASI), are working together with the Internet Engineering Task Force (IETF) to enhance and strengthen the handshake renegotiation protocol in the TLS specification. This effort will take some time to complete. The delivery outlook for inclusion of this enhanced handshake renegotiation capability in TLS protocol implementations is unknown at this time.

In the interim, WebSphere Application Server is delivering this APAR to allow an installation to disable the TLS handshake renegotiation. The TLS handshake renegotiation is rarely used. Disabling the TLS handshake renegotiation will block a remote attacker from attempting to exploit the weakness in the TLS protocol. After installing this fix, the default setting will disable the TLS handshake renegotiation. The fix also provides an option to re-enable renegotiation if warranted. TLS handshake renegotiation should be re-enabled only if absolutely necessary and with a clear understanding and acceptance of the potential security risks.

IBM Java Secure Socket Extensions (JSSE) includes TLS support. If your Java application uses JSSE for secure communication, you can disable TLS renegotiation by installing this APAR. After installing this APAR, the following properties are added:

com.ibm.jsse2.renegotiate=[ALL | NONE | ABBREVIATED]
ALL: allow both abbreviated and unabbreviated (full) renegotiation handshakes.
NONE: allow no renegotiation handshakes. This option is the new default setting.
ABBREVIATED: allow only abbreviated renegotiation handshakes.

PROBLEM CONCLUSION:
The iFix is built on SDK 1.5 SR11. However, this SDK iFix can be applied to any SDK 1.5 SR11 and lower. By doing so, the SDK will be replaced with SDK 1.5 SR11 + this iFix

[{"PRLabel":"Update installer","PRLang":"English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www-01.ibm.com/support/docview.wss?uid=swg21205991"}]

[{"INLabel":"readme","INLang":"English","INSize":"4798","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/readme.txt"}]

          [{"DNLabel":"AIX 32-bit Power PC Java SDK","DNDate":"1/21/2010","DNLang":"English","DNSize":"64500359","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-AixPPC32-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-AixPPC32-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-AixPPC32-IFPM04483.pak"},{"DNLabel":"AIX 64-bit Power PC Java SDK","DNDate":"1/21/2010","DNLang":"English","DNSize":"64950743","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-AixPPC64-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-AixPPC64-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-AixPPC64-IFPM04483.pak"},{"DNLabel":"HP-UX 64-bit Intel Itanium Java SDK","DNDate":"1/21/2010","DNLang":"English","DNSize":"70107887","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-HpuxIA64-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-HpuxIA64-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-HpuxIA64-IFPM04483.pak"},{"DNLabel":"HP-UX 32-bit HP PA-RISC Java SDK","DNDate":"1/21/2010","DNLang":"English","DNSize":"55503712","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-HpuxPaRISC-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-HpuxPaRISC-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-HpuxPaRISC-IFPM04483.pak"},{"DNLabel":"Linux 32-bit i/p Series Java SDK","DNDate":"1/21/2010","DNLang":"English","DNSize":"70242904","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-LinuxPPC32-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxPPC32-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxPPC32-IFPM04483.pak"},{"DNLabel":"Linux 64-bit i/p Series Java SDK","DNDate":"1/21/2010","DNLang":"English","DNSize":"68404863","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-LinuxPPC64-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxPPC64-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxPPC64-IFPM04483.pak"},{"DNLabel":"Linux 32-bit S/390","DNDate":"1/21/2010","DNLang":"English","DNSize":"64043714","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-LinuxS390-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxS390-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxS390-IFPM04483.pak"},{"DNLabel":"Linux 64-bit S/390","DNDate":"1/21/2010","DNLang":"English","DNSize":"64055259","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-LinuxS39064-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxS39064-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxS39064-IFPM04483.pak"},{"DNLabel":"Linux 32-bit x86 AMD/Intel Java SDK","DNDate":"1/21/2010","DNLang":"English","DNSize":"62409007","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-LinuxX32-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxX32-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxX32-IFPM04483.pak"},{"DNLabel":"Linux 64-bit x86 AMD/Intel Java SDK","DNDate":"1/21/2010","DNLang":"English","DNSize":"64228619","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-LinuxX64-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxX64-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-LinuxX64-IFPM04483.pak"},{"DNLabel":"Solaris 32-bit SPARC","DNDate":"1/21/2010","DNLang":"English","DNSize":"54081829","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-SolarisSparc-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-SolarisSparc-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-SolarisSparc-IFPM04483.pak"},{"DNLabel":"Solaris 64-bit SPARC","DNDate":"1/21/2010","DNLang":"English","DNSize":"67487430","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-SolarisSparc64-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-SolarisSparc64-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-SolarisSparc64-IFPM04483.pak"},{"DNLabel":"Solaris 64-bit x86","DNDate":"1/21/2010","DNLang":"English","DNSize":"55788646","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-SolarisX64-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-SolarisX64-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-SolarisX64-IFPM04483.pak"},{"DNLabel":"Win 32-bit x86 AMD/Intel Java SDK","DNDate":"1/21/2010","DNLang":"English","DNSize":"75135786","DNPlat":{"label":"Windows","code":"PF033"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-WinX32-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-WinX32-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-WinX32-IFPM04483.pak"},{"DNLabel":"Win 64-bit x86 AMD/Intel Java SDK","DNDate":"1/21/2010","DNLang":"English","DNSize":"70058995","DNPlat":{"label":"Windows","code":"PF033"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.X-WS-WASJavaSDK-WinX64-IFPM04483&source=dbluesearch&product=ibm%2FWebSphere%2FWebSphere+Application+Server","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-WinX64-IFPM04483.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM04483/6.1.0.X-WS-WASJavaSDK-WinX64-IFPM04483.pak"}]
          

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Java SDK","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.9;6.1.0.7;6.1.0.5;6.1.0.3;6.1.0.29;6.1.0.27;6.1.0.25;6.1.0.23;6.1.0.21;6.1.0.19;6.1.0.17;6.1.0.15;6.1.0.13;6.1.0.11;6.1.0.1;6.1","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PM00483

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24025718

Tips