IBM Support

Security Bulletin: Vulnerability in RC4 stream cipher affects OpenPages GRC Platform with Application Server (CVE-2015-2808)

Security Bulletin


Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects OpenPages GRC Platform with Application Server.

Vulnerability Details

CVEID: CVE-2015-2808
DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack".
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

OpenPages GRC Platform with Application Server 6.2.0, 6.2.1, 7.0 (embedded application server versions)

Remediation/Fixes

None

Workarounds and Mitigations

The embedded application server can be reconfigured to only accept known good ciphers and avoid this issue. Please note that this remediation changes the list of cipher suites accepted by the application server. As a result, there is a chance SSL connectivity issues could arise in your environment . While no issues have been found in internal testing, we encourage you to test this configuration on a test system in your environment prior to using it in production.

Mitigation Steps:

  1. Stop all servers. For details on stopping services, see the “Starting and Stopping Servers” chapter in the IBM® OpenPages® GRC Platform Administrator’s Guide.
  2. Log into the Windows console of the primary application server as an administrator.
  3. Launch regedit.exe
  4. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\OpenPagesAdminServer\Parameters
  5. Right-click on the Parameters key and select Export.
  6. Create a backup directory (you will be repeating this export with other keys).
  7. Save the export as OpenPagesAdminServer
  8. Select the current value for CmdLine
  9. Paste it into a text editor such as Notepad
  10. Move to the very end of the string and you will find the text "weblogic.Server"
  11. Insert the string "-Dweblogic.security.SSL.protocolVersion=TLS1" before "weblogic.Server".

    For example, change:

    -Djava.security.policy="C:\oracle\middleware\wlserver_10.3\server\lib\weblogic.policy" weblogic.Server

    to:

    -Djava.security.policy="C:\oracle\middleware\wlserver_10.3\server\lib\weblogic.policy" -Dweblogic.security.SSL.protocolVersion=TLS1 weblogic.Server

  12. Copy the string from your editor and use it to replace the current contents of the CmdLine setting.
  13. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\OpenPagesServer1\Parameters
  14. Right-click on the Parameters key and select Export.
  15. Save the export as OpenPagesServer1 in the backup directory
  16. Repeat steps 8 through 12 for this key.
  17. If you have additional node installed (for example OpenPagesServer2) repeat the process of exporting and adding "-Dweblogic.security.SSL.protocolVersion=TLS1" for each node.
  18. Repeat the process for the workflow servers by editing:
    - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\InterstageBPMAdminServer\Parameters
    - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\InterstageBPMCS1\Parameters
    - Any additional nodes installed (i.e. InterstageBPMCS2)
  19. Close Registry Editor
  20. Navigate to the file <OpenPages_Home>\OpenPagesDomain\config\config.xml


    For example:

    C:\OpenPages\OpenPagesDomain\config\config.xml

  21. Make a backup copy of the file
  22. Edit the file in Notepad of similar text editor.
  23. Locate the following section:

    <server>
    <name>OpenPagesAdminServer</name>
    <ssl>
    <name>OpenPagesAdminServer</name>
    <enabled>true</enabled>

  24. Add the following below the <enabled>true</enabled> line:


    <ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
    <jsse-enabled>true</jsse-enabled>

  25. Look further down the file for the section:


    <server>
    <name>ServerName-OpenPagesServer1</name>
    <max-message-size>2000000000</max-message-size>
    <ssl>
    <enabled>true</enabled>

  26. Add the following below the <enabled>true</enabled> line:


    <ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>

  27. In the same <ssl> block, add <enabled>true</enabled> just before the closing </ssl>. Your <ssl> block should now look something like the following:


    <ssl>
    <enabled>true</enabled>
    <ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
    <listen-port>7010</listen-port>
    <server-private-key-alias>mystrongcert</server-private-key-alias>
    <server-private-key-pass-phrase-encrypted>{AES}123456abce=</server-private-key-pass-phrase-encrypted>
    <jsse-enabled>true</jsse-enabled>
    </ssl>


  28. Make the same changes to any additional nodes you have configured. (i.e. ServerName-OpenPagesServer2)
  29. Save and close config.xml
  30. Navigate to the file <Fujitsu_Home>\InterstageBPM\IBPMDomain\config\config.xml


    For example:

    C:\Fujitsu\InterstageBPM\IBPMDomain\config\config.xml

  31. Make a backup copy of the file
  32. Edit the file in Notepad of similar text editor.
  33. Locate the following section:

    <server>
    <name>AdminServer</name>
    <ssl>
    <name>AdminServer</name>
    <enabled>true</enabled>

  34. Add the following below the <enabled>true</enabled> line:



    <ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>

  35. In the same <ssl> block, add <enabled>true</enabled> just before the closing </ssl>. Your <ssl> block should now look like the following:


    <ssl>
    <enabled>true</enabled>
    <ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
    <listen-port>49902</listen-port>
    <jsse-enabled>true</jsse-enabled>
    </ssl>

  36. Look further down the file for the section:


    <server>
    <name>ServerName-InterstageBPMCS1</name>
    <max-message-size>2000000000</max-message-size>
    <ssl>
    <enabled>true</enabled>

  37. Add the following below the <enabled>true</enabled> line:


    <ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>

  38. In the same <ssl> block, add <enabled>true</enabled> just before the closing </ssl>. Your <ssl> block should now look something like the following:


    <ssl>
    <enabled>true</enabled>
    <ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
    <listen-port>49952</listen-port>
    <jsse-enabled>true</jsse-enabled>
    </ssl>


  39. Make the same changes to any additional nodes you have configured. (i.e. ServerName-InterstageBPMCS2)
  40. Save and close config.xml
  41. You may now restart services.
  42. Once services restart, connect to the application via secure connection to validate that you can connect.




Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSFUEU","label":"IBM OpenPages with Watson"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.0;6.2.1;6.2","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
15 June 2018

UID

swg21902774

Page Feedback