IBM Support

Security Bulletin: IBM Security Access Manager Appliance has released a fix in response to the vulnerabilities known as Spectre and Meltdown

Created by Ann-Louise Bolger on
Published URL:
https://www.ibm.com/support/pages/node/712137
712137

Security Bulletin


Summary

IBM has released the following fixes for IBM Security Access Manager Appliance in response to CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754.

Vulnerability Details

CVEID: CVE-2017-5753

CVEID: CVE-2017-5715

CVEID: CVE-2017-5754

Affected Products and Versions

Affected Product Name

Affected Versions
IBM Security Access Manager for Web 7.0 - 7.0.0.34
IBM Security Access Manager for Web 8.0 - 8.0.1.7
IBM Security Access Manager for Mobile 8.0 - 8.0.1.7
IBM Security Access Manager 9.0-9.0.4.0

Remediation/Fixes

Product

VRMF APAR Remediation
IBM Security Access Manager for Web 7.0 - 7.0.0.34 IJ06994 Apply Interim Fix 35:
7.0.0-ISS-WGA-IF0035
IBM Security Access Manager for Web 8.0 - 8.0.1.7 IJ06985 Upgrade to 8.0.1.8:
8.0.1-ISS-WGA-FP0008 
IBM Security Access Manager for Mobile 8.0 - 8.0.1.7 IJ06991 Upgrade to 8.0.1.8:
8.0.1-ISS-ISAM-FP0008
IBM Security Access Manager 9.0-9.0.4.0 IJ06985 Upgrade to 9.0.5.0:
9.0.5-ISS-ISAM-FP0000


Please note that there is a potential change to performance when the Spectre/Meltdown fixes are applied. As a result, the Spectre/Meltdown fixes are disabled by default in some environments.

In ISAM 9, the fixes are disabled by default on the following two hypervisors:
- XenServer
- Amazon Web Services (AWS)
The fix is enabled by default in all other ISAM 9 environments.

In ISAM 7 & 8 environments, the Spectre/Meltdown fixes are disabled by default in all environments.

Administrators can use the following Advanced Tuning Parameter to enable and disable the Spectre/Meltdown fixes. You can change the value for this Advanced Tuning Parameter in the local management interface by selecting Manage System Settings > System Settings > Advanced Tuning Parameters.

kernel.disable.spectre = true/false

true - indicates that the fix is disabled.
false - indicates that the fix will be enabled.

IBM recommends using a value of kernel.disable.spectre = false in all ISAM environments.Administrators are advised to evaluate the performance in their environments and make deployment adjustments accordingly.

Performance impact summary

Administrators can expect performance degradation after they enable the mitigation for the vulnerability. Processing times are impacted and as such, users submitting browser-based requests are likely to experience increased response times.

The impact on appliance performance is estimated to be in the 0% to 10% range for most IBM Security Access Manager environments.

However, for XenServer and Amazon Web Service (AWS) environments, testing has shown that the impact on performance from 0% to upwards of 20%.

Due to the nature of more complex environments, this performance degradation may be higher.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

20 August 2018: Updated the bulletin to include the ISAM 7 & 8 fixes.
20 June 2018: Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZU8Q","label":"IBM Security Access Manager"},"Component":"--","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"7.0.0;8.0.0;8.0.0.1;8.0.0.2;8.0.0.3;8.0.0.4;8.0.0.5;8.0.1;8.0.1.2;8.0.1.3;8.0.1.4;8.0.1.5;8.0.1.6;8.0.1.7;9.0.0;9.0.0.1;9.0.1.0;9.0.2.0;9.0.2.1;9.0.3;9.0.4;9.0.3.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
21 August 2018

UID

swg22017146