IBM Support

Security Bulletin : Vulnerability in RC4 stream cipher affects IBM WebSphere Message Broker and IBM Integration Bus (CVE-2015-2808)

Security Bulletin


Summary

The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM WebSphere Message Broker and IBM Integration Bus

Vulnerability Details

CVEID: CVE-2015-2808

DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack".
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Integration Bus V9 , V10

WebSphere Message Broker V7, V8

IBM Integration Toolkit V9

WebSphere Message Broker Toolkit V7, V8

Remediation/Fixes

A fix to remove RC4 cipher suites from the default list of enabled cipher suites is available for WebSphere Message Broker V7.0 and V8.0 (for IBM Java™ 6)

ProductVRMFAPARRemediation/Fix
WebSphere Message BrokerV7.0IT08327 An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT08327

The APAR is targeted to be available in fix pack 7.0.0.8
WebSphere Message Broker
V8.0
IT08327 An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT08327

The APAR is targeted to be available in fix pack 8.0.0.7.

Note: If you have APAR IT03599 applied to your system to enable MQv8 support:
1. You are using Java 7 bundled with IT03599, and APAR IT08327 does not apply.
2. You must follow the mitigations/workarounds for IBM Integration Bus V9 and V10.

You should verify applying this fix does not cause any compatibility issues.

The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?uid=swg27006308

Workarounds and Mitigations

IBM Integration Bus V9 and V10

a) IBM Java 7 shipped with IBM Integration Bus has RC4 enabled by default and is therefore vulnerable. The vulnerability can be mitigated by disabling RC4 which can be achieved by following 'Instructions to disable RC4 in Java 7' given below.
After disabling the RC4 ciphers if you decide to use CBC ciphers you should follow the steps outlined in 'Using CBC ciphers' given below.

b) If you use the DataDirect ODBC V7.x drivers shipped with WebSphere Message Broker
The SSL library shipped with the ODBC drivers is vulnerable. The RC4 ciphers are in the acceptable cipher list by default. To mitigate this vulnerability you can configure the drivers to exclude RC4 ciphers from the list of negotiated ciphers by following 'Instructions to disable RC4 in DataDirect drivers' given below.

WebSphere Message Broker V7 and V8



a) After disabling the RC4 ciphers by applying the APAR fix if you then decide to use CBC ciphers you should follow the steps outlined in 'Using CBC ciphers' given below.

b) If you use the DataDirect ODBC V7.x drivers shipped with WebSphere Message Broker
The SSL library shipped with the ODBC drivers is vulnerable. The RC4 ciphers are in the acceptable cipher list by default. To mitigate this vulnerability you can configure the drivers to exclude RC4 ciphers from the list of negotiated ciphers by following 'Instructions to disable RC4 in DataDirect drivers' given below.

WebSphere Message Broker Toolkit V7 and V8



WebSphere Message Broker Toolkit Versions 7.0 and V8.0 by default disable the RC4 stream cipher for broker administration and are not vulnerable. To remain protected in all cases you should NOT enable weak or export-level cipher suites or select an RC4 cipher when connecting to the Broker's Queue Manager. If you enable the RC4 stream cipher you are vulnerable.

To use a TLS cipher to connect to the Queue Manager, you must apply a fixpack or ifix containing APAR IT05725. APAR IT05725 is planned for inclusion in 7.0.0.8 and 8.0.0.5 Interim Fix 001.

If you choose to use CBC ciphers in place of the RC4 ciphers you should follow the steps outlined in 'Using CBC ciphers' given below.

IBM Integration Toolkit V9

IBM Integration Toolkit V9.0 by default disables the RC4 stream cipher for broker administration and is not vulnerable. To remain protected in all cases you should NOT enable weak or export-level cipher suites or select an RC4 cipher when connecting to the Broker's Queue Manager. If enable the RC4 stream cipher you are vulnerable.

To use a TLS cipher to connect to the Queue Manager, you must apply a fixpack or ifix containing APAR IT05429. APAR IT05429 is available in IBM Integration Toolkit Version 9.0 Fix Pack 3.

To stop users enabling the RC4 stream cipher in the future you should disable RC4 by following 'Instructions to disable RC4 in Java7' given below.

If you choose to use CBC ciphers in place of the RC4 ciphers you should follow the steps outlined in 'Using CBC ciphers' given below.

Instructions to disable RC4 in Java 7

Add RC4 to the list of disabled algorithms defined by the jdk.tls.disabledAlgorithms security property in the java.security file. For example:


    jdk.tls.disabledAlgorithms=SSLv3, RC4

The java.security file can be found in the following locations:


    IBM Integration Bus V9:
      <install>\jre17\lib\security\java.security

    IBM Integration Toolkit V9
      <install>\jdk\jre\lib\security\java.security

    IBM Integration Bus V10 on Windows and LinuxX64:
      <install>\common\jdk\jre\lib\security\java.security

    IBM Integration Bus V10 not on Windows and LinuxX64:
      <install>\common\jre\lib\security\java.security

Instructions to disable RC4 in DataDirect drivers (ODBC SSL connectivity)

Use the undocumented CipherList connection option:


In order to disable RC4 ciphers while still maintaining the default restrictions, you need to set:

    CipherList=DEFAULT:!RC4

Using CBC ciphers

After disabling the RC4 ciphers if you decide to enable and use CBC ciphers then you should set the jsse.enableCBCProtection JVM system property to avoid vulnerability to the BEAST security vulnerability CVE-2011-3389.

More details about this JVM system property can be found here: http://www.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.security.component.60.doc/security-component/jsse2Docs/beast.html

You can set the JVM system property in a number of ways.

For WebSphere Message Broker and IBM Integration Bus runtime by either:


For WebSphere Message Broker and IBM Integration Toolkit:

    Edit the eclipse.ini file for the toolkit installation and add the following line:
      -Djsse.enableCBCProtection=true

    The eclipse.ini file can be found in the root directory of the toolkit installation. For example:
      c:\Program Files (x86)\IBM\WMBT800\eclipse.ini
      c:\Program Files\IBM\IIB\10.0.0.0\tools\eclipse.ini


Note that in the event that servers or clients are configured to use only RC4 ciphers, the above settings would prevent any SSL connection from succeeding.



You should verify applying the above configuration changes do not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.

The full list of Java acceptable protocols and their meaning are at http://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/protocols.html

Get Notified about Future Security Bulletins

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Off

Acknowledgement

None

Change History

5 May 2015 - Original version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSKM8N","label":"WebSphere Message Broker"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0;8.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSNQK6","label":"IBM Integration Bus"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web User Interface","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSNQGH","label":"IBM Integration Bus Hypervisor Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"HWQQQ","label":"PRODUCT NOT FOUND"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"HWQQQ","label":"PRODUCT NOT FOUND"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

Product Synonym

WMB IIB

Document Information

Modified date:
23 March 2020

UID

swg21883122