Security Bulletin
Summary
Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects InfoSphere BigInsights Big SQL.
Vulnerability Details
CVE-ID: CVE-2014-8730
DESCRIPTION:
InfoSphere BigInsights could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM InfoSphere BigInsights version 3.0, 3.0.0.1, and 3.0.0.2
Remediation/Fixes
The recommended solution is to apply the appropriate fix for this vulnerability. For all the affected versions apply the interim fix available from Fix Central.
Workarounds and Mitigations
By default, Big SQL does not set up SSL for client-server communication and therefore, this vulnerability affects Big SQL only if SSL is enabled. This vulnerability does not affect Big SQL 1.0. For all affected configurations, in order to protect against this vulnerability, you must enable strict checking of the padding bytes.
The following steps should be performed to enable strict checking of the padding bytes:
- On each Big SQL server node, set the following environment variable:
- Login as a Big SQL instance owner.
- Update the userprofile (eg:/home/bigsql/sqllib/userprofile) file that is located under the sqllib directory of the instance owner with the following environment variable:
- export GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE
- On the head node as the Big SQL administrator user, set the following environment variables:
- Log in as a Big SQL administrator user.
- Set the environment variable as shown below:
- export GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE
- Check whether DB2ENVLIST is set to a value, and set the values as follows:
- If it is set to a value, then you need to chain the environment variable names and delimit them with a space. For example, let's say that it is already set to SOME_ENV_VAR, you need to set DB2ENVLISTas shown below:
- db2set DB2ENVLIST="SOME_ENV _VAR GSK_STRICTCHECK_CBCPADBYTES"
- If the DB2ENVLIST is not set to any values, set the DB2ENVLIST as shown below:
- db2set DB2ENVLIST=GSK_STRICTCHECK_CBCPADBYTES
- As the BigInsights administrator user, from the BigInsights console node, stop and then restart Big SQL by running the following commands:
- $BIGINSIGHTS_HOME/bin/stop.sh bigsql
- $BIGINSIGHTS_HOME/bin/start.sh bigsql
Get Notified about Future Security Bulletins
References
Change History
07 January 2015: Original Copy Published
22 May 2015: Added interim fix information
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
18 July 2020
UID
swg21692927