IBM Support

Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM® DB2® LUW (CVE-2015-4000)

Security Bulletin


Summary

The Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects IBM DB2 LUW.

Vulnerability Details


CVEID: CVE-2015-4000

DESCRIPTION: The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as "Logjam".

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects two components of DB2: DB2 Advanced Copy Services and Java stored procedures using Secure Sockets Layer (SSL) API from IBM JDK.

For DB2 Advanced Copy Services
IBM DB2 Advanced Copy Services included in IBM DB2 and DB2 Connect V10.1 and V10.5 editions listed below and running on AIX and Linux are affected.

IBM DB2 Express Edition
IBM DB2 Workgroup Server Edition
IBM DB2 Enterprise Server Edition
IBM DB2 Connect™ Application Server Edition
IBM DB2 Connect Application Server Advanced Edition
IBM DB2 Connect Enterprise Edition
IBM DB2 Connect Unlimited Edition for System i®
IBM DB2 Connect Unlimited Edition for System z®
IBM DB2 Connect Unlimited Advanced Edition for System z
IBM DB2 10.1 pureScale Feature
IBM DB2 10.5 Advanced Enterprise Server Edition
IBM DB2 10.5 Advanced Workgroup Server Edition
IBM DB2 10.5 Developer Edition for Linux, Unix and Windows

NOTE: The DB2 Connect products mentioned are affected only if a local database has been created.

Only users of DB2 Advanced Copy Services (snapshot backup) are affected by this vulnerability. IBM DB2 includes restricted version of IBM Tivoli Flash Copy Manager, i.e. FCM v3.2 and v4.1, and both versions are affected by this vulnerability. IBM DB2 Advanced Copy Services in conjunction with IBM Tivoli FCM 3.2 or 4.1, on all current fix packs of IBM DB2 V10.1 and V10.5, are affected. AIX installations of DB2 may have this package installed by default, though it may not be in use on the system.

For Java stored procedures using Secure Sockets Layer (SSL) API from IBM JDK

Customers who have Java stored procedures using Secure Sockets Layer (SSL) API from IBM JDK are affected.

All fix pack levels of IBM DB2 V9.7, V10.1 and V10.5 editions listed below and running on AIX, Linux, HP, Solaris or Windows are affected.

IBM® DB2® Express Edition
IBM® DB2® Workgroup Server Edition
IBM® DB2® Enterprise Server Edition
IBM® DB2® Advanced Enterprise Server Edition
IBM® DB2® Advanced Workgroup Server Edition
IBM® DB2® Connect™ Application Server Edition
IBM® DB2® Connect™ Enterprise Edition
IBM® DB2® Connect™ Unlimited Edition for System i®
IBM® DB2® Connect™ Unlimited Edition for System z®

IBM® DB2® pureScale™ Feature for Enterprise Server Edition, V9.8, running on AIX or Linux is affected.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this vulnerability.

For DB2 Advanced Copy Services

The FCM package containing the fix For DB2 V10.1 and V10.5 can be found in Fix Central for V10.5 by searching for the keyword FCM.

PlatformDescription
AIXDB2 10.5 Fix Pack 7 for AIX (64 bit), Aix distros for FCM
LinuxDB2 10.5 Fix Pack 7 for Linux/x86-64 (64 bit), Linux distros for FCM

The FCM packages for DB2 V10.5 can be used with both DB2 V10.1 and DB2 V10.5 on any fix pack.

Please note that for the AIX platform, DB2 V10.1 and DB2 V10.5, installing the fixpack will overwrite the FCM in sqllib/acs with a vulnerable version of FCM. You need to reapply the FCM fix after each fixpack update.

For installation instructions, please follow the documentation provided within the IBM DB2 information center:

http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.ha.doc/doc/c0053160.html

For Java stored procedures using Secure Sockets Layer (SSL) API from IBM JDK
The fix for this vulnerability is in latest version of IBM JDK. Customers running any vulnerable fixpack level of an affected Program, V9.7, V9.8, V10.1 or V10.5 can download the latest version of IBM JDK from Fix Central

Refer to the table below to determine the IBM JDK level required. Then follow the instructions below to perform the JDK installation.


Platform
10.5.x JDK Version
10.1.x JDK Version
9.8.x JDK Version
9.7.x JDK Version
AIX64
7.0.9.10
7.0.9.10
6.0.16.7
6.0.16.7
SUN SPARC 64
7.0.9.10
7.0.9.10
N/A
6.0.16.7
SUN AMD64/EM64T
7.0.9.10
7.0.9.10
N/A
6.0.16.7
HPIPF64
7.0.9.10
6.0.16.7
N/A
6.0.16.7
Linux IA32
7.0.9.10
7.0.9.10
N/A
6.0.16.7
Linux PPC64LE
7.1.3.10
N/A
N/A
N/A
Linux PPC64
7.0.9.10
7.0.9.10
N/A
6.0.16.7
Linux S390 64-bit
7.0.9.10
7.0.9.10
N/A
6.0.16.7
Linux AMD64/EM64T
7.0.9.10
7.0.9.10
6.0.16.7
6.0.16.7
Windows IA32
7.0.9.10
7.0.9.10
N/A
6.0.16.7
Windows x86-64
7.0.9.10
7.0.9.10
N/A
6.0.16.7
Inspur K-UX
6.0.16.7
N/A
N/A
N/A

Instruction for IBM JDK Installation on UNIX
1) Create a new temporary JDK directory, i.e. jdk64, to store the extracted install files.

2) Run the following command to extract all the files from the IBM JDK install image tar file into the temporary JDK directory created in step 1 above.
    tar -xvf <IBM JDK install image tar file> -C jdk64

3) Stop all DB2 instances for the installation.

4) As root user, back up the original IBM JDK directory within DB2 installation path and create a new one.
    Go to the java sub-directory under <DB2 Installation Path>.
    E.g.
    cd /opt/IBM/db2/V10.1fp5/java

    Back up the original JDK directory <DB2 Installation Path>/java/jdk64
    E.g.
    mv /opt/IBM/db2/V10.1fp5/java/jdk64 /opt/IBM/db2/V10.1fp5/java/jdk64_old

    Create a new JDK directory under <DB2 Installation Path>/java/.
    E.g.
    mkdir /opt/IBM/db2/V10.1fp5/java/jdk64

5) As root user, copy the extracted files from the temporary JDK directory created in step 1 to the new JDK directory under <DB2 Installation Path>. E.g.

    cp -R <Temporary JDK directory>/* /opt/IBM/db2/V10.1fp5/java/jdk64/

    All the files in the <DB2 Installation Path>/java/jdk64 directory should have r-x permission.

6) Change the group and owner for all the files in the new JDK directory to bin.
    E.g.

    chgrp -R bin /opt/IBM/db2/V10.1fp5/java/jdk64
    chown -R bin /opt/IBM/db2/V10.1fp5/java/jdk64

Instruction for IBM JDK Installation on Windows
1) Stop all DB2 instances

2) Go to the DB2 installation directory
E.g
C:\Program Files (x86)\IBM\SQLLIB\java\jdk

Rename the following folders:
    • bin to bin_old
    • include to include_old
    • lib to lib_old
    • properties to properties_old
    • jre to jre_old

    • This might not work as you might get the error of folder in-use. If that happens, try the following steps:
      • cd to C:\Program Files (x86)\IBM\SQLLIB\java\jdk\jre folder
      • rename bin to bin_old
      • copy lib as lib_old
      • cd to lib directory, delete all the files except the fonts folder (which might be held by windows svchost.exe process and might not be renamed)

3) Unzip the new java files and copy all the extracted java files under the jdk directory.


Notes:
1) With this update, the metadata of the new JDK is not being recorded with the installer. Hence, for fix pack update in the same installation path, execution of the db2val utility (i.e. the tool that validate files laid down by the DB2 installer at the system level, instance level, or database level after new installation) may fail . Fix pack update to new installation path is not affected.

2) Uninstall will not be able to remove the jdk64 and jdk64_old folder, user will have to remove it manually.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Reported to IBM by The WeakDH team at https://weakdh.org

Change History

Oct 16, 2015: Original Version Published
Oct 23, 2015: Updated with FCM fix info
Dec 7, 2015: Updated with V10.5 FP7 fix info.
August 28, 2017: Updated download URL.
October 11, 2017: Made corrections to install instructions.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security \/ Plug-Ins - Security Vulnerability","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.8;9.7;10.1;10.5","Edition":"Advanced Enterprise Server;Advanced Workgroup Server;Enterprise Server;Express;Express-C;Personal;Workgroup Server"}]

Document Information

Modified date:
16 June 2018

UID

swg21967893