IBM Support

Security Bulletin: Vulnerability in SSLv3 affects IBM Tivoli Monitoring (CVE-2014-3566)

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM Tivoli Monitoring (ITM).

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

The following components of IBM Tivoli Monitoring (ITM) are affected by the SSLv3 vulnerability:

  • Tivoli Enterprise Management Servers (TEMS) - 6.20 through 6.30 FP4 (all releases)
  • Agents – IBM Tivoli Monitoring Shared Libraries (ax component on UNIX/Linux) or Tivoli Enterprise Monitoring Agent Framework (GL componet on Windows) - 6.20 through 6.30 FP4
  • Tivoli Enterprise Portal Server (TEPS)
    • embedded WebSphere Application Server – 6.20 through 6.30 FP4
    • IBM HTTP Server (IHS) - 6.23 through 6.30 FP1
    • Portal server communication with portal clients
      • HTTP – 6.23 through 6.30 FP1
      • IIOP - Not affected
      • SSL/IIOP – 6.20 through 6.30 FP4
  • Situation Update Forwarder (SUF) – 6.20 through 6.30 FP3

Remediation/Fixes

Portal Server, Management Servers, and Agents


The following patches are provided which disable SSLv3 in common code that is shared across ITM components. The following patches should be installed on each portal server, distributed management server (hub and remote), and ITM distributed agent systems (unless the Service Console is disabled, see below):
    • 6.3.0-TIV-ITM-FP0004-IV68044
    • 6.2.3-TIV-ITM-FP0005-IV68044
    • 6.2.2-TIV-ITM-FP0009-IV68044
    • 6.21/6.20 upgrade to one of the releases above where a patch is available. If unable to upgrade, contact IBM support

The following link contains information about accessing the patches above:
http://www-01.ibm.com/support/docview.wss?uid=swg24039203


Distributed Agents
For agent systems, the patch above updates the IBM Tivoli Monitoring Shared Libraries (ax component on UNIX/Linux) or Tivoli Enterprise Monitoring Agent Framework (GL component on Windows). The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.

For Agents running on distributed environments, instead of installing the patch, the Service Console can be disabled using the steps below.
    NOTE: Disabling the service console using the steps below will result in the following functions to be disabled for that agent:
    • SOAP requests
    • tacmd commands
    • dynamic trace
    For this reason, HTTP_SERVER:N should be configured on agent endpoints ONLY and only if these functions are not needed by the user or agents installed on that system.

These these steps will need to be done for each agent and agent instance on the system.
  • Windows:
    • From the MTEMS, right-click on the agent or agent instance and select Advanced..Edit Variables.
    • Select KDC_FAMILIES. Add "HTTP_SERVER:N" to the beginning. For example,
      • HTTP_SERVER:N @Protocol@
      Save the value.
    • Restart the agent or agent instance.
  • UNIX/Linux:
    • Update the <pc>.ini file and locate the line 'KDC_FAMILIES'. Add "HTTP_SERVER:N" to the front of the line. For example, if the default line looks like:
      • KDC_FAMILIES=$NETWORKPROTOCOL$
        Change it to the following
        KDC_FAMILIES=HTTP_SERVER:N $NETWORKPROTOCOL$
    • For multi-instance agents, if the <pc>_<instance>.config file exists, edit it and locate the 'KDC_FAMILIES'. Add "HTTP_SERVER:N" to the front of the line. For example, if the default line looks like:
      • export KDC_FAMILIES='ip.pipe port:1918 ip.spipe use:n sna use:n ip use:n ip6.pipe use:n ip6.spipe use:n ip6 use:n'
      Change it to the following:
        export KDC_FAMILIES='HTTP_SERVER:N ip.pipe port:1918 ip.spipe use:n sna use:n ip use:n ip6.pipe use:n ip6.spipe use:n ip6 use:n'
    • Restart the agent or agent instance.

Portal Server


In addition to installing the patch for IV68044 (described above), the following configuration changes are required for components residing on the portal server to disable SSLv3.

Embedded WebSphere Application Server (eWAS)


Update the configuration for the embeedded Websphere Application Server (eWAS) included as part of IBM Tivoli Monitoring portal server.

    1. Ensure the portal server is running.

    2. Start the TEPS/e administration console using the steps in the Starting the TEPS/e administration console section in the Administrator's Guide or follow the steps below:
      Enable the TEPS/e Administration Console:.
          On Windows: Select the Tivoli Enterprise Portal server from Manage Tivoli Enterprise Monitoring Services (MTEMS), right mouse click, select Advanced --> TEPS/e Administration--> Enable TEPS/e Administration

          On UNIX/Linux: Run the command:
          $CANDLEHOME/<interp>/iw/scripts/enableSCLite.sh true

      . Enable TEPS/e Administration Console password.
          On Windows: Select the Tivoli Enterprise Portal server from MTEMS, right mouse click, select Advanced --> TEPS/e Administration--> Enable TEPS/e Password

          On UNIX/Linux: Run the command:
          $CANDLEHOME/<interp>/iw/scripts/updateTEPSEPass.sh wasadmin <password>
      . Logon to the TEPS/e Administration Console by issuing the command:
          http://<teps_hostname:15205/ibm/console.
          Use "wasadmin" as the userid and type in the password set in step 3 above.
    3. On the Administration Console
        1. Go to Security > SSL certificate and key management > SSL configurations
        2. The collection of all SSL configurations is listed. For each SSL configuration in the list the SSL protocol will need to be modified to use TLS.
        3. Select an SSL Configuration then click Quality of protection (QoP) settings under Additional Properties on the right.
        4. On the Quality of protection (QoP) settings panel select TLS form the pull down list in the box labeled Protocol.
        5. Apply/Save.


IBM HTTP Server (IHS)


Update the configuration for the IBM HTTP Server (IHS) included as part of IBM Tivoli Monitoring portal server for versions 6.23 through 6.30 FP1. Note: Portal Server versions 6.20 through 6.22 FP9 as well as versions 6.30 FP2 and higher are not affected and do not need the change below.
    Edit the IBM HTTP Server configuration file httpd.conf:
      Windows: Edit the file <install_dir>/IHS/conf/http.conf
      ITM 6.2.3 on Linux/AIX: Edit the file <install_dir>/<arch>/iu/ihs/conf/httpd.conf
      ITM 6.3.0 on Linux/AIX: Edit the file install_dir>/<arch>/iu/ihs/HTTPServer/conf/httpd.conf

    Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains "SSLEnable":
      # Disable SSLv3 for CVE-2014-3566
      # SSLv2 is disabled in V8R0 and later by default, and in typical V7
      # and earlier configurations disabled implicitly when SSLv3 ciphers
      # are configured with SSLCipherSpec.
      SSLProtocolDisable SSLv3 SSLv2
    Stop and restart the portal server for the changes to take affect.


Portal Server Communication with Portal Clients


The following are configuration changes required on the portal server based on the protocol configured for use with communication with the portal client.

    Using HTTPS protocol
    This is defined when either of the following applies:
    • applet.html file has the tep.connection.protocol=http or https -OR-
    • tep.jnlp file has the tep.connection.protocol=https

    The following changes are required:
    • 6.20 through 6.22 FP9 – Not Applicable (not supported on those releases)
    • 6.23 through 6.30 FP1 – configure to use IIOP protocol
        • Remove the tep.connection.protocol from the applet.html and tep.jnlp file(s).
        • In Manage Tivoli Enterprise Monitoring Services, right-click Tivoli Enterprise Portal Server.
          • Click Advanced > Edit ENV file.
          • Find the line kfw_interface_cnps_ssl, for example:
            • kfw_interface_cnps_ssl=Y
          • If it is set to Y, then change to N. Save the file and exit. Click Yes when you are asked if you want to recycle the service.
          • If it is already set to N, then no change is required.
        • Restart the portal client(s).
    • 6.30 FP2 through 6.30 FP4 – No change required.


    Using Internet Inter-ORB Protocol (IIOP) protocol:
    This is defined if the HTTPS protocol above is not being used and the KFW_INTERFACE_cnps_SSL is set to "N" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)
    • 6.20 through 6.30 FP4 – Not affected; no changes required.


    Using SSL over IIOP protocol:
    This is defined if the HTTPS protocol above is not being used and the KFW_INTERFACE_cnps_SSL is set to "Y" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)
    • 6.20 through 6.30 FP1 – configure to use IIOP:
      • In Manage Tivoli Enterprise Monitoring Services, right-click Tivoli Enterprise Portal Server.
        Click Advanced > Edit ENV file.
        Find the following line:
          kfw_interface_cnps_ssl=Y
        Change the Y to N.
        Save the file and exit.
        Click Yes when you are asked if you want to recycle the service.

    Using any protocol:
    NOTE: The configuration change below was originally documented to be needed only when SSL over IIOP protocol was being utilized. After further analysis it it required even if that protocol is not being used, so should be done for all portal servers running version 6.30 FP2 through 6.30 FP4. .
    • 6.30 FP2 through 6.30 FP4 - Edit the portal server configuration file:
        • Windows: <install_dir>/CNPS/KFWENV
          Linux/AIX: <install_dir>/config/cq.ini
        Add the following variable:
          KFW_ORBPARM=-Dvbroker.security.server.socket.enabledProtocols=TLS_Version_1_0_Only
        Stop and restart portal server for the changes to take affect.

    Management Server


    In addition to installing the patch for IV68044 (described above), the following configuration changes are required:

    LDAP


    If LDAP is configured for user authentication for the management server, then the configuration file for the Tivoli Enterprise Management Server (TEMS) will need to have the following environment variable specified:
      LDAP_OPT_SECURITY_PROTOCOL=TLS10,TLS11,TLS12

    See the following bulletin for more details: http://www-01.ibm.com/support/docview.wss?uid=swg21687611

    Management Server on z/OS


    For customers using the AT-TLS policy template supplied with Tivoli Monitoring products, the TTLSEnvironmentAdvancedParms can be augmented to specify default use of SSLv2, SSLv3, and TLS with the following additions:

    TTLSEnvironmentAdvancedParms KDEBEADV

    {

    ApplicationControlled On

    ClientAuthType PassThru

    SSLv2 Off

    SSLv3 Off

    TLSv1 On

    }

    For z/OS Communications Server, the AT-TLS policy definition is used to control the negotiated encryption protocols and cipher suites. Within the AT-TLS policy, a TTLSCipherParms section can be used to select non-SSLv3 protocols:
      TTLSCipherParms cipher1~AT-TLS__Gold 5

      {

      V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA

      V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA

      }

    With this definition present, the TTLSConnectionAction for the IBM Tivoli Monitoring Tivoli Enterprise Monitoring Server (TEMS) can be augmented to include TTLSCipherParms thus assuring the non-use of SSLv3:
      TTLSConnectionAction KDEBEIN

      {

      HandshakeRole Server

      TTLSCipherParmsRef cipher1~AT-TLS__Gold

      *

      *

      *

      }


    Situation Update Forwarder (SUF)


    If utilizing the Situation Update Forwarder (SUF) to pass updated events from OMNIbus to an ITM management server, once the management server has been updated with IV68044, then the Situation Update Forwarder server prior to 6.30 FP4 will need to install a patch for the Situation Update Forwarder to be able to continue sending events to ITM.

    The following link contains information about installing the patch required for SUF:
    http://www-01.ibm.com/support/docview.wss?uid=swg24039006



    IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.

    Get Notified about Future Security Bulletins

    References

    Off

    Change History

    2014-12-19: Added NOTE regarding the disabling of the service console for distributed agents.

    2015-06-08: Added new section called "Using any protocol" under section "Portal Server Communication with Portal Clients". Previously the configuration was documented to be used only if SSL over IIOP was configured. After further analysis is it required for all portal server version 6.30 FP2 through 6.30 FP4.

    2017-03-23: Updated to indicate the IV66217 has been superseeded by IV68044 and fix broken links

    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

    Disclaimer

    According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

    [{"Product":{"code":"SSZ8F3","label":"IBM Tivoli Monitoring V6"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"6.3.0;6.2.3;6.2.2;6.2.1;6.2.0","Edition":""}]

    Document Information

    Modified date:
    17 June 2018

    UID

    swg21691775