APAR status
Closed as program error.
Error description
The port 9081 used by the Spectrum Protect for Virtual Environments GUI is reported as being vulnerable to Logjam (CVE-2015-4000) Spectrum Protect Versions Affected: All supported versions of IBM Spectrum Protect for Virtual Environments - Data Protection for VMware on Linux and Windows, See APAR IT31577 IBM Spectrum Protect for Virtual Environments - Data Protection For Hyper-V 8.1.4 and higher on Windows, see APAR IT32315 All supported versions of IBM Spectrum Protect Backup-Archive web user interface on: 8.1.7 on Linux x86 and Windows 8.1.8 on Linux Power LE and Linux z 8.1.9 on AIX see APAR IT32317 Initial Impact: Medium Additional Keywords: TS003074169, java, cve, logjam, ssl, security, vulnerability, IT30213
Local fix
As a workaround, create and change the Spectrum Protect for Virtual Environments java & webserver configuration files as follows with an Administrator account on Windows and from a root owned terminal on Linux : Example for Linux platform : 1. Go to the webserver profile directory: $ cd /opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfile / 2. Under this directory, create a JVM security option file ('jvm.security') and on Linux, update the user and permissions to have: $ ls -l jvm.security -rwxrwxr-x 1 tdpvmware tdpvmware jvm.security 4. update the empty file to add following lines : jdk.certpath.disabledAlgorithms=MD2,MD5,SHA1 usage TLSServer TLSClient SignedJAR, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 256, DSS jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize < 2048, EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4, MD5, SHA1, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL 5. Update the existing JVM option file ('/opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfi le/jvm.options') to have the following lines: #-Dcom.ibm.jsse2.sp800-131=transition -Dcom.ibm.jsse2.sp800-131=strict -Djava.security.properties=file:/opt/tivoli/tsm/tdpvmware/common /webserver/usr/servers/veProfile/jvm.security -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.rejectClientInitiatedRenegotiation=true I.e. comment out the existing "-Dcom.ibm.jsse2.sp800-131=transition" setting and place the above mentioned "strict" settings instead. 6. Update the existing webserver server configuration file ('/opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfi le/server.xml') as follows: replace of the following ssl XML element: <ssl enabledCiphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA" id="veSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL_TLSv2"/> with the following one: <ssl id="veSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2"/> 7. Then, restart the webserver: $ service webserver restart For the Windows platform, the same files need to be created/updated and are located in C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile.
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Protect backup-archive web user interface on: * * V8.1.7 running on Linux x86 and Windows * * V8.1.8 running on Linux Power LE and Linux z * * V8.1.9 running on AIX * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION. * * For more information, refer to the security bulletin at this * * link: https://www.ibm.com/support/pages/node/6245366 * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is projected * * to be fixed in the backup-archive web user interface level * * 8.1.10 on all Linux, AIX and Windows platforms. * * Note that this is subject to change at the discretion of * * IBM. * ****************************************************************
Problem conclusion
The problem has been fixed so that it no longer occurs.
Temporary fix
Comments
APAR Information
APAR number
IT32317
Reported component name
TSM CLIENT
Reported component ID
5698ISMCL
Reported release
81W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-03-26
Closed date
2020-03-26
Last modified date
2020-07-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TSM CLIENT
Fixed component ID
5698ISMCL
Applicable component levels
[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81W"}]
Document Information
Modified date:
13 February 2021