How to disable cipher block chaining (CBC) ciphers in IBM Spectrum Control in response to the Lucky 13 vulnerability.

If needed, you can disable cipher block chaining (CBC) ciphers in IBM Spectrum Control in response to the Lucky 13 vulnerability.

Problem

IBM Spectrum Control contains all of the necessary patches to properly address the Lucky 13 vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169). However, you might also want to disable CBC ciphers in IBM Spectrum Control in response to the Lucky 13 vulnerability.

Important: After you disable the CBC ciphers, IBM Spectrum Control does not manage IBM DS8000 storage systems unless they are updated to a firmware level that provides GCM cipher support. For more information, contact IBM DS8000 storage system support.

Action

To disable CBC ciphers in IBM Spectrum Control, complete these steps:
  1. Stop all IBM Spectrum Control servers.
  2. Open the installation_dir/jre/lib/security/java.security file.
  3. To disable CBC ciphers in IBM Spectrum Control, insert AES_128_CBC, AES_256_CBC to the jdk.tls.disabledAlgorithms line.

    BEFORE

    jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 1024, EC keySize < 224, TLSv1,TLSv1.1, anon, NULL

    AFTER

    jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 1024, EC keySize < 224, TLSv1,TLSv1.1, AES_128_CBC, AES_256_CBC, anon, NULL
  4. Restart the IBM Spectrum Control servers.