Security Bulletin
Summary
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM Tivoli Monitoring (ITM).
Vulnerability Details
CVE-ID: CVE-2014-3566
DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
The following components of IBM Tivoli Monitoring (ITM) are affected by the SSLv3 vulnerability:
- Tivoli Enterprise Management Servers (TEMS) - 6.20 through 6.30 FP4 (all releases)
- Agents – IBM Tivoli Monitoring Shared Libraries (ax component on UNIX/Linux) or Tivoli Enterprise Monitoring Agent Framework (GL componet on Windows) - 6.20 through 6.30 FP4
- Tivoli Enterprise Portal Server (TEPS)
- embedded WebSphere Application Server – 6.20 through 6.30 FP4
- IBM HTTP Server (IHS) - 6.23 through 6.30 FP1
- Portal server communication with portal clients
- HTTP – 6.23 through 6.30 FP1
- IIOP - Not affected
- SSL/IIOP – 6.20 through 6.30 FP4
- Situation Update Forwarder (SUF) – 6.20 through 6.30 FP3
Remediation/Fixes
Portal Server, Management Servers, and Agents
The following patches are provided which disable SSLv3 in common code that is shared across ITM components. The following patches should be installed on each portal server, distributed management server (hub and remote), and ITM distributed agent systems (unless the Service Console is disabled, see below):
- 6.3.0-TIV-ITM-FP0004-IV68044
- 6.2.3-TIV-ITM-FP0005-IV68044
- 6.2.2-TIV-ITM-FP0009-IV68044
- 6.21/6.20 upgrade to one of the releases above where a patch is available. If unable to upgrade, contact IBM support
The following link contains information about accessing the patches above:
http://www-01.ibm.com/support/docview.wss?uid=swg24039203
Distributed Agents
For agent systems, the patch above updates the IBM Tivoli Monitoring Shared Libraries (ax component on UNIX/Linux) or Tivoli Enterprise Monitoring Agent Framework (GL component on Windows). The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.
For Agents running on distributed environments, instead of installing the patch, the Service Console can be disabled using the steps below.
- NOTE: Disabling the service console using the steps below will result in the following functions to be disabled for that agent:
- SOAP requests
- tacmd commands
- dynamic trace
These these steps will need to be done for each agent and agent instance on the system.
- Windows:
- From the MTEMS, right-click on the agent or agent instance and select Advanced..Edit Variables.
- Select KDC_FAMILIES. Add "HTTP_SERVER:N" to the beginning. For example,
- Restart the agent or agent instance.
- UNIX/Linux:
- Update the <pc>.ini file and locate the line 'KDC_FAMILIES'. Add "HTTP_SERVER:N" to the front of the line. For example, if the default line looks like:
- For multi-instance agents, if the <pc>_<instance>.config file exists, edit it and locate the 'KDC_FAMILIES'. Add "HTTP_SERVER:N" to the front of the line. For example, if the default line looks like:
- Restart the agent or agent instance.
- HTTP_SERVER:N @Protocol@
- KDC_FAMILIES=$NETWORKPROTOCOL$
Change it to the following
KDC_FAMILIES=HTTP_SERVER:N $NETWORKPROTOCOL$
- export KDC_FAMILIES='ip.pipe port:1918 ip.spipe use:n sna use:n ip use:n ip6.pipe use:n ip6.spipe use:n ip6 use:n'
- export KDC_FAMILIES='HTTP_SERVER:N ip.pipe port:1918 ip.spipe use:n sna use:n ip use:n ip6.pipe use:n ip6.spipe use:n ip6 use:n'
Portal Server
In addition to installing the patch for IV68044 (described above), the following configuration changes are required for components residing on the portal server to disable SSLv3.
Embedded WebSphere Application Server (eWAS)
Update the configuration for the embeedded Websphere Application Server (eWAS) included as part of IBM Tivoli Monitoring portal server.
- Go to Security > SSL certificate and key management > SSL configurations
- The collection of all SSL configurations is listed. For each SSL configuration in the list the SSL protocol will need to be modified to use TLS.
- Select an SSL Configuration then click Quality of protection (QoP) settings under Additional Properties on the right.
- On the Quality of protection (QoP) settings panel select TLS form the pull down list in the box labeled Protocol.
- Apply/Save.
1. Ensure the portal server is running.
2. Start the TEPS/e administration console using the steps in the Starting the TEPS/e administration console section in the Administrator's Guide or follow the steps below:
- Enable the TEPS/e Administration Console:.
- On Windows: Select the Tivoli Enterprise Portal server from Manage Tivoli Enterprise Monitoring Services (MTEMS), right mouse click, select Advanced --> TEPS/e Administration--> Enable TEPS/e Administration
On UNIX/Linux: Run the command:
$CANDLEHOME/<interp>/iw/scripts/enableSCLite.sh true
. Enable TEPS/e Administration Console password.
- On Windows: Select the Tivoli Enterprise Portal server from MTEMS, right mouse click, select Advanced --> TEPS/e Administration--> Enable TEPS/e Password
On UNIX/Linux: Run the command:
$CANDLEHOME/<interp>/iw/scripts/updateTEPSEPass.sh wasadmin <password>
- http://<teps_hostname:15205/ibm/console.
Use "wasadmin" as the userid and type in the password set in step 3 above.
IBM HTTP Server (IHS)
Update the configuration for the IBM HTTP Server (IHS) included as part of IBM Tivoli Monitoring portal server for versions 6.23 through 6.30 FP1. Note: Portal Server versions 6.20 through 6.22 FP9 as well as versions 6.30 FP2 and higher are not affected and do not need the change below.
- Edit the IBM HTTP Server configuration file httpd.conf:
- Windows: Edit the file <install_dir>/IHS/conf/http.conf
ITM 6.2.3 on Linux/AIX: Edit the file <install_dir>/<arch>/iu/ihs/conf/httpd.conf
ITM 6.3.0 on Linux/AIX: Edit the file install_dir>/<arch>/iu/ihs/HTTPServer/conf/httpd.conf
Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains "SSLEnable":
- # Disable SSLv3 for CVE-2014-3566
# SSLv2 is disabled in V8R0 and later by default, and in typical V7
# and earlier configurations disabled implicitly when SSLv3 ciphers
# are configured with SSLCipherSpec.
SSLProtocolDisable SSLv3 SSLv2
Portal Server Communication with Portal Clients
The following are configuration changes required on the portal server based on the protocol configured for use with communication with the portal client.
- applet.html file has the tep.connection.protocol=http or https -OR-
- tep.jnlp file has the tep.connection.protocol=https
- 6.20 through 6.22 FP9 – Not Applicable (not supported on those releases)
- 6.23 through 6.30 FP1 – configure to use IIOP protocol
- Remove the tep.connection.protocol from the applet.html and tep.jnlp file(s).
- In Manage Tivoli Enterprise Monitoring Services, right-click Tivoli Enterprise Portal Server.
- Click Advanced > Edit ENV file.
- Find the line kfw_interface_cnps_ssl, for example:
- kfw_interface_cnps_ssl=Y
- If it is set to Y, then change to N. Save the file and exit. Click Yes when you are asked if you want to recycle the service.
- If it is already set to N, then no change is required.
- Restart the portal client(s).
- 6.30 FP2 through 6.30 FP4 – No change required.
- 6.20 through 6.30 FP4 – Not affected; no changes required.
- 6.20 through 6.30 FP1 – configure to use IIOP:
- 6.30 FP2 through 6.30 FP4 - Edit the portal server configuration file:
Using HTTPS protocol
This is defined when either of the following applies:
The following changes are required:
Using Internet Inter-ORB Protocol (IIOP) protocol:
This is defined if the HTTPS protocol above is not being used and the KFW_INTERFACE_cnps_SSL is set to "N" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)
Using SSL over IIOP protocol:
This is defined if the HTTPS protocol above is not being used and the KFW_INTERFACE_cnps_SSL is set to "Y" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)
- In Manage Tivoli Enterprise Monitoring Services, right-click Tivoli Enterprise Portal Server.
Click Advanced > Edit ENV file.
Find the following line:
- kfw_interface_cnps_ssl=Y
Save the file and exit.
Click Yes when you are asked if you want to recycle the service.
Using any protocol:
NOTE: The configuration change below was originally documented to be needed only when SSL over IIOP protocol was being utilized. After further analysis it it required even if that protocol is not being used, so should be done for all portal servers running version 6.30 FP2 through 6.30 FP4. .
- Windows: <install_dir>/CNPS/KFWENV
Linux/AIX: <install_dir>/config/cq.ini
- KFW_ORBPARM=-Dvbroker.security.server.socket.enabledProtocols=TLS_Version_1_0_Only
Management Server
In addition to installing the patch for IV68044 (described above), the following configuration changes are required:
LDAP
If LDAP is configured for user authentication for the management server, then the configuration file for the Tivoli Enterprise Management Server (TEMS) will need to have the following environment variable specified:
- LDAP_OPT_SECURITY_PROTOCOL=TLS10,TLS11,TLS12
See the following bulletin for more details: http://www-01.ibm.com/support/docview.wss?uid=swg21687611
Management Server on z/OS
For customers using the AT-TLS policy template supplied with Tivoli Monitoring products, the TTLSEnvironmentAdvancedParms can be augmented to specify default use of SSLv2, SSLv3, and TLS with the following additions:
TTLSEnvironmentAdvancedParms KDEBEADV
{
ApplicationControlled On
ClientAuthType PassThru
SSLv2 Off
SSLv3 Off
TLSv1 On
}
For z/OS Communications Server, the AT-TLS policy definition is used to control the negotiated encryption protocols and cipher suites. Within the AT-TLS policy, a TTLSCipherParms section can be used to select non-SSLv3 protocols:
- TTLSCipherParms cipher1~AT-TLS__Gold 5
{
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
}
With this definition present, the TTLSConnectionAction for the IBM Tivoli Monitoring Tivoli Enterprise Monitoring Server (TEMS) can be augmented to include TTLSCipherParms thus assuring the non-use of SSLv3:
- TTLSConnectionAction KDEBEIN
{
HandshakeRole Server
TTLSCipherParmsRef cipher1~AT-TLS__Gold
*
*
*
}
Situation Update Forwarder (SUF)
If utilizing the Situation Update Forwarder (SUF) to pass updated events from OMNIbus to an ITM management server, once the management server has been updated with IV68044, then the Situation Update Forwarder server prior to 6.30 FP4 will need to install a patch for the Situation Update Forwarder to be able to continue sending events to ITM.
The following link contains information about installing the patch required for SUF:
http://www-01.ibm.com/support/docview.wss?uid=swg24039006
IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.
Get Notified about Future Security Bulletins
References
Change History
2014-12-19: Added NOTE regarding the disabling of the service console for distributed agents.
2015-06-08: Added new section called "Using any protocol" under section "Portal Server Communication with Portal Clients". Previously the configuration was documented to be used only if SSL over IIOP was configured. After further analysis is it required for all portal server version 6.30 FP2 through 6.30 FP4.
2017-03-23: Updated to indicate the IV66217 has been superseeded by IV68044 and fix broken links
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21691775