IBM Support

Security Bulletin: Vulnerability in TLS affects IBM Tivoli Monitoring (CVE-2014-8730 )

Security Bulletin


Summary

A new variant of the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack for TLS may affect IBM Tivoli Monitoring (ITM).

Vulnerability Details

CVEID: CVE-2014-8730

DESCRIPTION:
Product could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

The following components of IBM Tivoli Monitoring (ITM) are affected by the TLS vulnerability:

  • Portal server, distributed management server, and distributed agents:
    • GSKit – 6.20 through 6.30 FP4
    • Java - 6.20 through 6.30 FP1
  • Portal server – IBM HTTP Server (IHS) – 6.23 through 6.30 FP4
  • Portal server – Portal Clients – using SSL/IIOP 6.20 through 6.30 FP4
  • Situation Update Forwarder (SUF) - see section under Remediation/Fixes.

Remediation/Fixes

Portal Server, Distrbitued Management Servers, and Distrbitued Agents



GSKit Remediation:


The following patches are provided to address the issue with TLS in common code that is shared across ITM components. The following patches should be installed on each portal server, distributed management server (hub and remote), and ITM distributed agent systems (unless the Service Console is disabled, see below):
    • 6.30: Install 6.3.0-TIV-ITM-FP0004-IV68044
    • 6.23: Install 6.2.3-TIV-ITM-FP0005-IV68044
    • 6.22: Install 6.2.2-TIV-ITM-FP0009-IV68044 (prereqs 6.2.2-TIV-ITM-FP0009-IV56302 to get to correct GSKit version)
    • 6.21/6.20: Upgrade to one of the versions above. Call support if unable to upgrade.

The following link contains information about accessing the patches above:
http://www.ibm.com/support/docview.wss?uid=swg24039203


NOTE: The fix for IV68044 supercedes and includes the fix for POODLE vulnerability in SSLv3 as addressed by APAR fix IV66217. Once the patch above for IV68044 is installed, the patch for IV66217 is not needed and should not be installed afterwards.


Distributed Agents
For agent systems, the patch above updates the IBM Tivoli Monitoring Shared Libraries (ax component on UNIX/Linux) or Tivoli Enterprise Monitoring Agent Framework (GL component on Windows). The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.

For Agents running on distributed environments, it is recommended to install the patch above. However, if that cannot be done, the Service Console can be disabled using the steps below to remediate the vulnerability.

NOTE: Disabling the service console using the steps below will result in the following functions to be disabled for that agent:
  • SOAP requests
  • tacmd commands
  • dynamic trace
For this reason, HTTP_SERVER:N should be configured on agent endpoints ONLY and only if these functions are not needed by the user or agents installed on that system.

These these steps will need to be done for each agent and agent instance on the system.

Windows:
  • From the MTEMS, right-click on the agent or agent instance and select Advanced..Edit Variables.
  • Select KDC_FAMILIES. Add "HTTP_SERVER:N" to the beginning. For example,
    • HTTP_SERVER:N @Protocol@
    Save the value.
  • Restart the agent or agent instance.

UNIX/Linux::
  • Update the <pc>.ini file and locate the line 'KDC_FAMILIES'. Add "HTTP_SERVER:N" to the front of the line. For example, if the default line looks like:
      • KDC_FAMILIES=$NETWORKPROTOCOL$
        Change it to the following
        KDC_FAMILIES=HTTP_SERVER:N $NETWORKPROTOCOL$
  • For multi-instance agents, if the <pc>_<instance>.config file exists, edit it and locate the 'KDC_FAMILIES'. Add "HTTP_SERVER:N" to the front of the line. For example, if the default line looks like:
      • export KDC_FAMILIES='ip.pipe port:1918 ip.spipe use:n sna use:n ip use:n ip6.pipe use:n ip6.spipe use:n ip6 use:n'
      Change it to the following:
        export KDC_FAMILIES='HTTP_SERVER:N ip.pipe port:1918 ip.spipe use:n sna use:n ip use:n ip6.pipe use:n ip6.spipe use:n ip6 use:n'
  • Restart the agent or agent instance


Java Remediation:


The following are the Fix Packs or patches that remediate Java:
  • 6.30: Install 6.30 FP2 or later
  • 6.23
    • 6.23 through 6.23 FP3:
      • Install 6.X.X-TIV-ITM_JRE_TEP_6.13.02.00 or later
      • Install 6.X.X-TIV-ITM_JRE_CANDLEHOME_6.15.01.00
    • 6.23 FP4 through 6.23 FP5:
      • Install 6.X.X-TIV-ITM_JRE_CANDLEHOME_6.15.01.00
  • 6.22
    • Install 6.X.X-TIV-ITM_JRE_TEP_5.16.02.00 or later
    • Install 6.X.X-TIV-ITM_JRE_CANDLEHOME_5.16.06.00
  • 6.21/6.20: Upgrade to one of the versions above. Call support if unable to upgrade.

For distributed agent systems, the CANDLEHOME patches above update the shared Tivoli Enterprise-supplied JRE (jr component on UNIX/Linux) or Embedded JVM (JVM component on Windows). The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on how shared libraries are used.


Portal server - IBM HTTP Server (IHS)


1. In order to resolve the vulnerability, IHS must be upgraded to the following versions:

IBM Tivoli Monitoring 623 - IHS version 7.0.0.33
IBM Tivoli Monitoring 630 - IHS version 8.0.0.9

Follow the instructions for upgrading the IBM HTTP Server in the following SMC blog post:

https://www.ibm.com/developerworks/community/blogs/0587adbc-8477-431f-8c68-9226adea11ed/entry/apply_maintenance_to_the_ibm_http_server_installed_with_ibm_tivoli_monitoring?lang=en

2. Stop the portal server.

3. Edit the IHS configuration file:
    Windows: <install_dir>\IHS\conf\httpd.conf
    Linux/UNIX, 623: <install_dir>/<arch>/iu/ihs/conf/httpd.conf
    Linux/UNIX, 630: <install_dir>/<arch>/iu/ihs/HTTPServer/conf/httpd.conf

4. Find the virtual host section that configures HTTPS. It will be similar to that shown below. Note that if you have changed the HTTPS port to a value other than the default 15201, the port number will be different than shown below:

<VirtualHost *:15201>
DocumentRoot "/opt/IBM/ITM/lx8266/cw/"
SSLEnable
SSLProtocolDisable SSLv2
SSLProtocolDisable SSLv3
SSLProtocolEnable TLSv10
SSLProtocolEnable TLSv11
SSLProtocolEnable TLSv12
ErrorLog "/opt/IBM/ITM/lx8266/iu/ihs/HTTPServer/logs/sslerror.log"
TransferLog "/opt/IBM/ITM/lx8266/iu/ihs/HTTPServer/logs/sslaccess.log"
KeyFile "/opt/IBM/ITM/keyfiles/keyfile.kdb"
SSLStashfile "/opt/IBM/ITM/keyfiles/keyfile.sth"
SSLServerCert IBM_Tivoli_Monitoring_Certificate
</VirtualHost>

5. Add the following parameter after the SSLEnable parameter:
    SSLAttributeSet 471 1

6. Restart the portal server.


Portal Server Communication with Portal Clients:



Portal Server Communication with Portal Clients when configured to use SSL over IIOP protocol. SSL over IIOP is being used if both conditions below are true:
- HTTPS is not being used
    - applet.html file does not have the tep.connection.protocol=http or https AND
    - tep.jnlp file does not have tep.connection.protocol=https
- the KFW_INTERFACE_cnps_SSL is set to "Y" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)

FixVMRFRemediation/First Fix
6.3.0-TIV-ITM-FP0005-IV744866.3.0 http://www.ibm.com/support/docview.wss?uid=swg24040448
6.2.3-TIV-ITM-FP0005-IV744866.2.3http://www.ibm.com/support/docview.wss?uid=swg24040448
6.2.2-TIV-ITM-FP0009-IV744866.2.2http://www.ibm.com/support/docview.wss?uid=swg24040448
6.3.0-TIV-ITM-FP00066.3.0.xhttp://www.ibm.com/support/docview.wss?uid=swg24040390
Check link for status on availability.

For IBM Tivoli Monitoring 6.2.0 and 6.2.1, IBM recommends upgrading to a fixed, supported version/release of the product as listed above.

You should verify applying this fix does not cause any compatibility issues.


Situation Update Forwarder (SUF)


One of the following versions of SUF should be installed to remediate the vulnerability for POODLE for both TLS and SSLv3:
    • Situation Update Forwarder 6.23 FP5 + 6.2.3.TIV-ITM-FP0005-IV66139
    • Situation Update Forwarder 6.30 FP3 + 6.2.3.TIV-ITM-FP0005-IV66139
    • Situation Update Forwarder 6.30 FP4
Note: The version of SUF should match or be higher than the management server(s) it connects to send event information.

Workarounds and Mitigations

Portal Server Communication with Portal Clients Workaround


The following configuration change is required on the portal server if the protocol configured for use with communication with the portal client is using SSL over IIOP and the patch above is not installed. This is defined if the HTTPS protocol is not being used and the KFW_INTERFACE_cnps_SSL is set to "Y" in the portal server environment file (Windows: kfwenv, UNIX/Linux: cq.config)

Select one of the following two configuration changes:
Configure to use IIOP:
In Manage Tivoli Enterprise Monitoring Services, right-click Tivoli Enterprise Portal Server.
Click Advanced > Edit ENV file.
Find the following line:
kfw_interface_cnps_ssl=Y
Change the Y to N.
Save the file and exit.
Click Yes when you are asked if you want to recycle the service.
Configure to use HTTPS on 6.30 FP2 or higher, by updating one of the files below:
  • applet.html file has the tep.connection.protocol=http or https -OR-
  • tep.jnlp file has the tep.connection.protocol=https

Get Notified about Future Security Bulletins

References

Off

Change History

27 Jan 2015: Original publish date
31 July 2015: Updated to include patch for "Portal Server Communication with Portal Clients" which can be used instead of the manual workaound.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Internal Use Only

Advisory 2545 (GSKit)
DB Record 47171
CVE-2014-8730

Advisory 2547 (IHS)
DB Record - tracked via Advisory 2545

[{"Product":{"code":"SSZ8F3","label":"IBM Tivoli Monitoring V6"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.3.0;6.2.3;6.2.2;6.2.1;6.2.0","Edition":""}]

Document Information

Modified date:
17 June 2018

UID

swg21694339