IBM Support

Security Bulletin: TLS padding vulnerability affects IBM Data Server Client packages (CVE-2014-8730)

Created by Shilu Mathai on
Published URL:
https://www.ibm.com/support/pages/node/523251
523251

Security Bulletin


Summary

Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM Data Server Client packages.

Vulnerability Details

CVE-ID: CVE-2014-8730

DESCRIPTION
: Product could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections.

All users that have the Secure Sockets Layer (SSL) support enabled in the IBM data server clients are affected. The SSL support is not enabled in the IBM data server client by default.


CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

All versions and fix pack levels of IBM data server client products that are running on the AIX, Linux, HP, Solaris, or Windows operating systems are affected.

IBM Data Server Client: V9.5, V9.7, V10.1, V10.5
IBM Data Server Runtime Client: V9.5, V9.7, V10.1, V10.5
IBM Data Server Driver Package: V9.5, V9.7, V10.1, V10.5
IBM Data Server Driver for ODBC and CLI: V9.5, V9.7, V10.1, V10.5

Remediation/Fixes

Customers running on V10.5fp5 can contact support to obtain a special build containing an interim fix for this issue.

Refer to the following chart to determine how to proceed to obtain a needed fixpack or special build.
Release Fixed in fix pack APAR Download URL

V10.5 TBD IT06351 Please contact technical support.

For customer running IBM data server client and driver types

All users that have the Secure Sockets Layer (SSL) support enabled in the IBM data server clients are affected. The SSL support is not enabled in the IBM data server client by default

Upgrading of GSKit is required if either of the following applies to you:

IBM data server client and driver types V9.5, V9.7, V9.8, V10.1 level and any V10.5 level before fixpack 5.
IBM data server client and driver types V10.5 fixpack 5 and have additionally installed GSKit.

Where to obtain the GSKit depends on the DB2 release and platform:

IBM data server client and driver types V10.5 fix pack 5 on Inspur or Linux 64-bit POWER little endian on Power System, please contact customer support to obtain the "IBM DB2 Support Files for SSL Functionality".
IBM data server client and driver types V9.5, V9.7, V9.8, V10.1 level and any V10.5 level before fixpack 5:
Client and the server are on the same physical computer: For the Windows platform, you do not need to upgrade the GSKit as GSKit is automatically installed with the DB2 server image. For all other platforms, you will need to download "IBM DB2 Support Files for SSL Functionality" from IBM Passport Advantage.
Client and the server are on different computer: For all platforms, download "IBM DB2 Support Files for SSL Functionality" from IBM Passport Advantage and perform the GSKit upgrade.

Refer to the following chart below for the proper version of GSKit

Release GSkit Version
V9.5 V7.0.5.5
V9.7 V8.0.50.41
V9.8 V8.0.50.41
V10.1 V8.0.50.41
V10.5 V8.0.50.41

Workarounds and Mitigations

As remediation, you need to set the GSK_STRICTCHECK_CBCPADBYTES environment variable and restart the application.
The GSK_STRICTCHECK_CBCPADBYTES environment variable is available in the following GSKit versions:

  • GSKit 8.0.14.27 and later
  • GSKit 7.0.4.45 and later
IBM data server client products for V10.5 FP5 are packaged with GSKit v8.0.50.31.

If you installed a separate GSKit in your environment or if you do not have the IBM data server client V10.5 FP5 or later product, you must ensure that the GSKit in your environment supports the GSK_STRICTCHECK_CBCPADBYTES environment variable. If your current GSKit installation does not support the GSK_STRICTCHECK_CBCPADBYTES environment variable, you must install a GSKit version that supports the required GSK_STRICTCHECK_CBCPADBYTES environment variable. You can obtain the GSKit from the IBM PassPort Advantage (PPA) site.

You can obtain the GSKit version with the GSKit version check command. For GSKit Version 8, you can issue the gsk8ver command for a 32-bit GSKit installation and the gsk8ver_64 command for a 64-bit GSKit installation. For more information, see the GSKit documentation.

On the Linux and UNIX operating system:

export GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE

On the Windows operating system:

Set the GSK_STRICTCHECK_CBCPADBYTES environment variable at the system level.

The environment should be tested after you implement the GSK_STRICTCHECK_CBCPADBYTES environment variable to ensure that there are no compatibility issues.

Get Notified about Future Security Bulletins

References

Off

Change History

16 Jan 2015: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSSNY3","label":"IBM Data Server Client Packages"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.7;9.5;10.5;10.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
16 June 2018

UID

swg21693877