IBM Support

Security Bulletin: Vulnerability with Diffie-Hellman ciphers affects IBM Tivoli Netcool Service Quality Manager (CVE-2015-4000)

Created by Dmitry Mishin on

Security Bulletin


Summary

The Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol affects IBM Tivoli Netcool Service Quality Manager.

Vulnerability Details

CVEID: CVE-2015-4000
DESCRIPTION:
 The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as "Logjam".
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103294 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects Tivoli Netcool Service Quality Manager 4.1.4

Remediation/Fixes

IBM has provided patches for all affected versions. 
The IBM Java Runtime Environment Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 11 can be downloaded from the IBM Fix Central site:
https://delivery04.dhe.ibm.com/sar/CMA/WSA/05f7p/0/j564redist.tar.gz

To install the patch the following procedure has to be performed on TNSQM servers:

$ sap stop 
$ sapmon stop 
$ sapmgr stop 
$ cd ${WMCROOT}/java 
$ mv jre jre.old
$ gunzip -c <location of patch>/j564redist.tar.gz | tar -xf - 
$ sapmon start 
$ sapmgr start 
$ sap start

The Logjam attack which affects TLS connections using the Diffie-Hellman (DH) key exchange protocol may affect some configurations in WebSphere Application Server. WebSphere Application Server has DH and DHE ciphers included in the "STRONG" or "HIGH", "MEDIUM" and "LOW" cipher lists. They also could be present if you have a "CUSTOM" list of ciphers. You will need to remove any of the ciphers that begin with SSL_* or TLS_* that also have DH or DHE in the Name from your WebSphere Application Server SSL configuration. This does NOT include ciphers that have ECDH or ECDHE in the Name, these are elliptic curve Diffie-Hellman ciphers and they are not affected. 

You can view the administrative console page to change the settings, click Security > SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration. Under Related items, click SSL configurations > . Click on {SSL_configuration_name }. Under Additional Properties, click Quality of protection (QoP) settings.
For more information on the Quality of Protection settings refer to the Knowledge Center:http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/usec_sslqualprotect.html?lang=en

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSKGK9","label":"Tivoli Netcool Service Quality Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"}],"Version":"4.1.4","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

TNSQM

Document Information

Modified date:
17 June 2018

UID

swg21960580