IBM Support

Security Bulletin: Vulnerability in RC4 stream cipher affects IBM® DB2® LUW (CVE-2015-2808)

Security Bulletin


Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM DB2 LUW.

Vulnerability Details

CVEID: CVE-2015-2808


DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack".


CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects two components of DB2: DB2 Advanced Copy Services and SSL client configuration using DB2 LDAP security plugin-in.

For DB2 Advanced Copy Services
IBM DB2 Advanced Copy Services included in IBM DB2 and DB2 Connect V10.1 and V10.5 editions listed below and running on AIX and Linux are affected.

IBM DB2 Express Edition
IBM DB2 Workgroup Server Edition
IBM DB2 Enterprise Server Edition
IBM DB2 Connect™ Application Server Edition
IBM DB2 Connect Application Server Advanced Edition
IBM DB2 Connect Enterprise Edition
IBM DB2 Connect Unlimited Edition for System i®
IBM DB2 Connect Unlimited Edition for System z®
IBM DB2 Connect Unlimited Advanced Edition for System z
IBM DB2 10.1 pureScale Feature
IBM DB2 10.5 Advanced Enterprise Server Edition
IBM DB2 10.5 Advanced Workgroup Server Edition
IBM DB2 10.5 Developer Edition for Linux, Unix and Windows

NOTE: The DB2 Connect products mentioned are affected only if a local database has been created.

Only users of DB2 Advanced Copy Services (snapshot backup) are affected by this vulnerability. IBM DB2 includes restricted version of IBM Tivoli Flash Copy Manager, i.e. FCM v3.2 and v4.1, and both versions are affected by this vulnerability. IBM DB2 Advanced Copy Services in conjunction with IBM Tivoli FCM 3.2 or 4.1, on all current fix packs of IBM DB2 V10.1 and V10.5, are affected. AIX installations of DB2 may have this package installed by default, though it may not be in use on the system.


For SSL client configuration using DB2 LDAP security plugin-in
Customers who have Secure Sockets Layer (SSL) support enabled in their client configuration using DB2 provided LDAP security plug-in to communicate with LDAP server are affected. SSL support is not enabled in LDAP security plug-in by default.

All fix pack levels of IBM DB2 V9.7, V10.1 and V10.5 editions listed below and running on AIX, Linux, HP, Solaris or Windows are affected.

IBM® DB2® Express Edition
IBM® DB2® Workgroup Server Edition
IBM® DB2® Enterprise Server Edition
IBM® DB2® Advanced Enterprise Server Edition
IBM® DB2® Advanced Workgroup Server Edition
IBM® DB2® Connect™ Application Server Edition
IBM® DB2® Connect™ Enterprise Edition
IBM® DB2® Connect™ Unlimited Edition for System i®
IBM® DB2® Connect™ Unlimited Edition for System z®

IBM® DB2® pureScale™ Feature for Enterprise Server Edition, V9.8, running on AIX or Linux is affected.

The IBM data server client and driver types are as follows:

IBM Data Server Driver Package
IBM Data Server Driver for ODBC and CLI
IBM Data Server Runtime Client
IBM Data Server Client

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this vulnerability.

FIX:

For SSL client configuration using DB2 LDAP security plugin-in
The fix for DB2 and DB2 Connect release V9.7 is in FP11, V10.1 is in V10.1 FP5 and V10.5 is in V10.5 FP6, available for download from Fix Central.

Customers running any vulnerable fixpack level of an affected Program, V9.8 can contact support to obtain a special build containing an interim fix for this issue. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.8 FP5. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

Refer to the folowing chart to determine how to proceed to obtain a needed fixpack or special build.



For DB2 Advanced Copy Services
The fix for DB2 and DB2 Connect release V10.1 is in V10.1 FP6 and V10.5 is in V10.5 FP7, available for download from Fix Central.

Refer to the folowing chart to determine how to proceed to obtain a needed fixpack.

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.

Note: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion

Workarounds and Mitigations

For V9.8 customers, this problem can be mitigated by setting the environment variable LDAP_OPT_SSL_FIPS_PROCCESSING_MODE.

Mitigation instructions:

Customers should set the environment variable LDAP_OPT_SSL_FIPS_PROCCESSING_MODE on each DB2 server instance as follows:



On Linux/UNIX:

1) As the DB2 instance owner, add the following line to the userprofile file that is located under the sqllib directory:

export LDAP_OPT_SSL_FIPS_PROCCESSING_MODE=ON

2) As a user with DB2 SYSADM privilege, run the following commands:

db2set DB2ENVLIST=LDAP_OPT_SSL_FIPS_PROCCESSING_MODE

db2stop
db2start

The commands above assume that DB2ENVLIST registry variable is not set. If it is set, the environment variable names need to be delimited with a space.  For example, if DB2ENVLIST is already set to SOME_ENV, it needs to be set as follows:

db2set DB2ENVLIST="SOME_ENV LDAP_OPT_SSL_FIPS_PROCCESSING_MODE"

On Windows:

Set the LDAP_OPT_SSL_FIPS_PROCCESSING_MODE environment variable at system level. You will need to restart the DB2 server for the environment variables to be picked up by DB2.

Variable name: LDAP_OPT_SSL_FIPS_PROCCESSING_MODE

Variable value: ON

For V9.7, V10.1 and V10.5 customers, this problem can be mitigated by enabling FIPS mode in the LDAP security plug-in.

Customers with the fix pack level of V9.7 FP9, V10.1 FP4, V10.5 GA or higher should follow the instruction below to mitigate the problem.

Customers with fix pack level of V9.7 FP8 or lower, V10.1 FP3 or lower should upgrade to the latest fix pack. Then follow the instruction below to mitigate the problem.  

Mitigation instructions:

Customers should enable FIPS mode in LDAP security plugin-in as follows:

1. As the DB2 instance owner, open up the LDAP security plugin-in configuration file


The default name and location for the IBM LDAP security plug-in configuration file is:
  • On UNIX: INSTHOME/sqllib/cfg/IBMLDAPSecurity.ini
  • On Windows: %DB2PATH%\cfg\IBMLDAPSecurity.ini
Optionally, it could be resided in the location defined by the DB2LDAPSecurityConfig environment variable

2. Search for the FIPS_MODE configuration parameter in the file and change its value to true. Save and close the file.
    ; FIPS_MODE
    ; To set SSL encryption FIPS mode on or off.
    ; Optional; Valid values are true (on) and false (off). Defaults to
    ; false (FIPS mode off).
    FIPS_MODE = true

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

April 10, 2015: Original Version Published
July 10, 2015: Updated with V10.1 FP5 fix info
Aug 13, 2015: Updated with V10.5 FP6 fix info
Oct 2, 2015: Updated with V9.7 FP11 fix info
Oct 23, 2015: Updated with FCM fix info
Dec 7, 2015: Updated with V10.5 FP7 fix info
Feb 28, 2017: Updated with V10.1 FP6 fix info

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security \/ Plug-Ins - Security Vulnerability","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.8;9.7;10.1;10.5","Edition":"Advanced Enterprise Server;Advanced Workgroup Server;Enterprise Server;Express;Express-C;Personal;Workgroup Server"},{"Product":{"code":"SSEPDU","label":"DB2 Connect"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"9.7;9.5;10.1;10.5","Edition":""}]

Document Information

Modified date:
16 June 2018

UID

swg21717865