Security Bulletin
Summary
The RC4 “Bar Mitzvah” Attack for SSL/TLS affects Multiple N-series Products
Vulnerability Details
CVEID: CVE-2015-2808
DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to obtain sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack".
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
7-Mode Data ONTAP 8.1.x and 8.2.x;
Clustered Data ONTAP 8.2.x;
NS OnCommand Core Package: 5.2, 5.2R1, 5.2P1, 5.2P2;
NS OnCommand Unified Manager for DataONTAP: 6.1R1;
Remediation/Fixes
None
Workarounds and Mitigations
You should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.
For 7-Mode Data ONTAP 8.2.3 and above (below 8.3)
A new option “options rc4.enable” allows you to enable or disable the RC4 encryption algorithm that is used in the TLS and SSL protocols over HTTPS and FTPS connections. The option defaults to “on”. To disable the RC4 cipher type :
“options rc4.enable off”.
For Clustered Data ONTAP 8.2.2 RC1 and above (below 8.3)
You can enable the OpenSSL FIPS 140-2 compliance mode to disable RC4 ciphers by executing the following command at the admin privilege level in the clustershell:
“system services web modify -ssl-fips-enable true”
Above workarounds are supported only in Data ONTAP 8.2.3 and above for 7-Mode and Data ONTAP 8.2.2 RC1 and above for Clustered-Mode. For customers who use 7-Mode Data ONTAP 8.1.x and 8.2.x (below 8.2.3), IBM urges an upgrading to 7-Mode Data ONTAP 8.2.3 and above (below 8.3) to implement the corresponding workaround. For customers who use Clustered Data ONTAP 8.1.x and 8.2.x (below 8.2.2RC1), IBM urges an upgrading to Clustered Data ONTAP 8.2.2 RC1 and above (below 8.3) to implement the corresponding workaround. Contact IBM support or go to this link to download a supported release.
For customers who are using NS OnCommand Core Package or NS OnCommand Unified Manager for DataONTAP, please contact IBM support.
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
27 Oct, 2015 Original Version Published
16 Jan, 2017 Second Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 December 2021
UID
ssg1S1005273