How to disable cipher block chaining (CBC) ciphers in IBM Spectrum® Control in response to the Lucky 13 vulnerability.
If needed, you can disable cipher block chaining (CBC) ciphers in IBM Spectrum Control in response to the Lucky 13 vulnerability.
Problem
IBM Spectrum Control contains all of the necessary patches to properly address the Lucky 13 vulnerability (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169). However, you might also want to disable CBC ciphers in IBM Spectrum Control in response to the Lucky 13 vulnerability.
Important: After you disable the CBC ciphers, IBM
Spectrum Control does not manage IBM® DS8000® storage systems unless they are updated to a firmware level that provides GCM cipher support. For more information, contact IBM DS8000 storage system support.
Action
To disable CBC ciphers in IBM
Spectrum Control,
complete these steps:
- Stop all IBM Spectrum Control servers.
- Open the installation_dir/jre/conf/security/java.security file.
- To disable CBC ciphers in IBM
Spectrum Control,
insert
AES_128_CBC, AES_256_CBC
to thejdk.tls.disabledAlgorithms
line.BEFORE
jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 1024, EC keySize < 224, TLSv1,TLSv1.1, anon, NULL
AFTER
jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 1024, EC keySize < 224, TLSv1,TLSv1.1, AES_128_CBC, AES_256_CBC, anon, NULL
- Restart the IBM Spectrum Control servers.