IBM Support

Security Advisory: CVE-2024-5535 – Patch Guidance for IBM DevOps Test Workbench

Troubleshooting


Problem

A security vulnerability identified as CVE-2024-5535 affects the SSL_select_next_proto function in OpenSSL. When invoked with an empty list of supported client protocols, this function may lead to a crash or unintended memory disclosure to the peer. The IBM Semeru Runtime Java, which is bundled with various IBM DevOps Test products, includes OpenSSL libraries and may be flagged during security scans. The following files, in particular, could appear as potentially vulnerable:

  • C:\Program Files\IBM\DevOpsTestAPI\jre\bin\libcrypto-3-x64.dll
  • C:\Program Files\IBM\DevOpsTestControlPanel\jre\bin\libcrypto-3-x64.dll

Diagnosing The Problem

After thorough internal review and Security Bulletin has confirmed that this vulnerability does not impact the IBM DevOps products:

  • IBM DevOps Test Workbench (Test Workbench)
  • IBM DevOps Test Virtualization (Test Virtualization)

Resolving The Problem

Although there is no direct product impact, a fix is planned for inclusion in the upcoming Test Workbench v11.0.6 release. This version will include:

  • Java Runtime Environment (JRE): v17.0.14-7
  • OpenSSL Library (libcrypto.dll): v3.0.16

But if you wish to apply a mitigation before the official release, the JRE can be updated manually using the steps below.

Note: This workaround requires stopping all relevant services. Please ensure all work is saved and testing activities are paused.

  1. Use Task Manager to stop the following processes:
    • IBM DevOps Test Integrations and APIs - Agent
    • IBM DevOps Test Control Panel service
    • Background processes: javaw.exe, java.exe, integrationtester.exe, Agent.exe, etc.
  2. Navigate to each product's installation directory and rename the current jre folder (e.g., jre_old) to keep a backup.
  3. Download IBM Semeru Runtime v17.0.14 from the IBM Support Portal.
  4. Verify libcrypto version:
    • After extracting the JRE files:
    • Navigate to the bin folder.
    • Run the following PowerShell command to check the version of libcrypto-3-x64.dll: 
      Get-Item "libcrypto-3-x64.dll" | Select-Object VersionInfo

      image-20250708195716-1
  5. Replace the existing jre folders in the installation directories with the newly downloaded JRE.
  6. Ensure the folder name remains jre (do not rename).
  7. Restart all Test Workbench related Services.
  8. Check and confirm that the environment is functioning as expected.

While IBM DevOps Test products are not impacted by this OpenSSL issue, you may still choose to update the JRE as a precautionary step. The upcoming v11.0.6 release will include this fix by default. For now, the steps outlined above offer a temporary workaround for environments requiring enhanced compliance or internal security policies.

Related Information

Security Bulletin- CVE-2024-5535

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSF3TZ","label":"IBM DevOps Test Workbench"},"ARM Category":[{"code":"a8m0z000000boB3AAI","label":"Documentation-\u003ESecurity Bulletins"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0.3;11.0.4;11.0.5"}]

Product Synonym

IBM Rational Test Workbench; IBM Rational Test Virtualization Server; RTVS; RTW

Document Information

Modified date:
17 July 2025

UID

ibm17239161

Page Feedback