Security Bulletin
Summary
IBM has released the following fixes for IBM Security Access Manager Appliance in response to CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754.
Affected Products and Versions
|
Affected Product Name |
Affected Versions |
| IBM Security Access Manager for Web | 7.0 - 7.0.0.34 |
| IBM Security Access Manager for Web | 8.0 - 8.0.1.7 |
| IBM Security Access Manager for Mobile | 8.0 - 8.0.1.7 |
| IBM Security Access Manager | 9.0-9.0.4.0 |
Remediation/Fixes
|
Product |
VRMF | APAR | Remediation |
| IBM Security Access Manager for Web | 7.0 - 7.0.0.34 | IJ06994 | Apply Interim Fix 35: 7.0.0-ISS-WGA-IF0035 |
| IBM Security Access Manager for Web | 8.0 - 8.0.1.7 | IJ06985 | Upgrade to 8.0.1.8: 8.0.1-ISS-WGA-FP0008 |
| IBM Security Access Manager for Mobile | 8.0 - 8.0.1.7 | IJ06991 | Upgrade to 8.0.1.8: 8.0.1-ISS-ISAM-FP0008 |
| IBM Security Access Manager | 9.0-9.0.4.0 | IJ06985 | Upgrade to 9.0.5.0: 9.0.5-ISS-ISAM-FP0000 |
Please note that there is a potential change to performance when the Spectre/Meltdown fixes are applied. As a result, the Spectre/Meltdown fixes are disabled by default in some environments.
In ISAM 9, the fixes are disabled by default on the following two hypervisors:
- XenServer
- Amazon Web Services (AWS)
The fix is enabled by default in all other ISAM 9 environments.
In ISAM 7 & 8 environments, the Spectre/Meltdown fixes are disabled by default in all environments.
Administrators can use the following Advanced Tuning Parameter to enable and disable the Spectre/Meltdown fixes. You can change the value for this Advanced Tuning Parameter in the local management interface by selecting Manage System Settings > System Settings > Advanced Tuning Parameters.
kernel.disable.spectre = true/false
true - indicates that the fix is disabled.
false - indicates that the fix will be enabled.
IBM recommends using a value of kernel.disable.spectre = false in all ISAM environments.Administrators are advised to evaluate the performance in their environments and make deployment adjustments accordingly.
Performance impact summary
Administrators can expect performance degradation after they enable the mitigation for the vulnerability. Processing times are impacted and as such, users submitting browser-based requests are likely to experience increased response times.
The impact on appliance performance is estimated to be in the 0% to 10% range for most IBM Security Access Manager environments.
However, for XenServer and Amazon Web Service (AWS) environments, testing has shown that the impact on performance from 0% to upwards of 20%.
Due to the nature of more complex environments, this performance degradation may be higher.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
20 August 2018: Updated the bulletin to include the ISAM 7 & 8 fixes.
20 June 2018: Original version published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
21 August 2018
UID
swg22017146