APAR status
Closed as program error.
Error description
Error Message: N/A . Stack Trace: N/A . N/A
Local fix
Problem summary
For IBMJCEPlus and IBMJCEPlusFIPS providers, the dependent library 'IBM Crypto for C module' has been upgraded.
Problem conclusion
For IBMJCEPlus and IBMJCEPlusFIPS providers, the dependent library 'IBM Crypto for C module' has been upgraded. The dependent library for IBMJCEPlus provider has been upgraded from version 8.5.38.0 to 8.7.6.0 The dependent library for IBMJCEPlusFIPS provider has been upgraded from version 8.4.1.0 to 8.6.0.0 The upgrade fixes three Common Vulnerabilities and Exposures(CVE) and extends the sunset date for FIPS 140-2 certification. FIPS 140-2 certification: The IBM Crypto for C module, version 8.6.0.0, is now FIPS 140-2 certified till 11/13/2022 and the new certificate is available at the URL https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-P rogram/Certificate/3064 The new version of the underlying native library used by IBMJCEPlus and IBMJCEPlusFIPS added support for some algorithms, which are not yet supported by IBMJCEPlus and IBMJCEPlusFIPS. These are: RSA-PSS algorithm for digital signature and verification. HMAC-SHA3 algorithms for message authentication code. SHA3 algorithms for creating message digests. AES-CTR algorithm for data encryption and decryption. Refer to the IBM SDK documentation for further details. Common Vulnerabilities and Exposures: The upgrade fixes three CVEs and the conditions under which the vulnerabilities are applicable are listed below. Performing DSA key operations with either IBMJCEPlus or IBMJCEPlusFIPS providers will require applying the upgrade to fix the vulnerability CVE-2016-0705. CVEID: CVE-2016-0705 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Performing RSA, DSA operations with either IBMJCEPlus or IBMJCEPlusFIPS providers, on a 64 bit Windows platform, will require applying the upgrade to fix the vulnerabilities CVE-2017-3732 and CVE-2017-3736. CVEID: CVE-2017-3732 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2017-3736 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x86_64 Montgomery squaring function bn_sqrx8x_internal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134397 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) The associated Hursley RTC Problem Report is: 138002 JVMs affected: Java 8.0 The fix was delivered for Java 8 SR5 FP20 The upgrade does not require any changes to IBMJCEPlus.jar. The build level of this jar for the affected releases is - NA . This APAR will be fixed in the following Java Releases: 8 SR5 FP20 (8.0.5.20) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IJ07855
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-07-16
Closed date
2018-07-16
Last modified date
2018-07-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020