IBM App Connect Professional 22.214.171.124-CUMUIFIX-005 and 126.96.36.199-CUMUIFIX-017 include some security fixes and a change to how you can enable the behaviour for a WSInvoke activity to throw an exception if it encounters a WebService fault.
This technote summarises the major fixes and provides important notes and checks that should be performed before installing IBM App Connect Professional 188.8.131.52-CUMUIFIX-005 or 184.108.40.206-CUMUIFIX-017.
Major fixes in this IFix
- Security fixes:
- SHA1 algorithm is disabled. This indirectly disables TLSv1.1 protocol.
- Cross-site scripting vulnerability in WMC JSP pages
- Iframe injection vulnerability in WMC JSP pages
- Session identifier updated upon WMC login
- As a default behavior, WSInvoke activity throws Exception on WebService Fault. This behavior can be altered by setting a property "WSFaultAsException" to true.
- For Studio, the property is set as a system property. Launch Studio with an additional command line parameter -J-DWSFaultAsException=true each time.
- For hypervisor/docker and Live, the property is set as a sysconf property. As a one time activity, customers using Hypervisor and Live should contact IBM support to enable this property. Customers using docker can enable this property using ihdbdirect command. Sysconf property values persists across upgrades.
Before applying this IFix, verify the following aspects in your configuration for secure communications:
- Any certificates that have signature algorithm based on SHA1, for example SHA1withRSA, will result in SSL handshake failures. Customers should check their certificate configurations in endpoints that support secure communication (HTTP, WebService, DB, FTP, Email) to make sure that the signature algorithm is not SHA1withRSA.
- Projects that have Http and WebService activities where protocol selection is TLSv1.1 need to be edited in Studio to change the protocol selection to TLSv1.2 or SSL_TLSv2.
- The certificate configured for Emgmt interface for Web Management Console (WMC) access. You can select "Factory supplied identity strong" and check your WMC access.
If SHA1withRSA certificate is configured for Mgmt interface for WMC access, you will see an error similar to the following:
Secure Connection Failed An error occurred during a connection to 220.127.116.11. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
Note: Any new certificates generated through WMC after applying this IFix will have SHA256withRSA as the signature algorithm.
- Some MS Dynamics CRM Discovery servers are incorrectly configured, which might cause SSL handshake failures when clicking "Discover Organization" while creating new MS Dynamics CRM endpoints in Studio. The reason for this SSL handshake failure is because the server sends an unsupported SignatureAndHashAlgorithm in ServerKeyExchange message(for examle, SHA1withRSA). If you encounter such an SSL handshake failure, then as a work around you can launch Studio with SHA1 enabled and create new endpoints. To enable SHA1, edit the java.security.override file under
/security to remove SHA1 from jdk.tls.disabledAlgorithms property value. Note: The issue with MS Dynamics discovery servers does not affect running of the projects.
- Session identifier updated upon WMC login: This fix doesn’t change any login behaviour/functional behaviour for the customer.It addresses security vulnerability related to internally used session ids.
See also: The App Connect Professional builds and iFix details page at http://www.ibm.com/support/docview.wss?uid=swg21998280
23 September 2019