Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1126 A vulnerability has been identified in IBM WebSphere MQ and IBM WebSphere MQ Internet Pass-Thru 24 April 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere MQ IBM WebSphere MQ Internet Pass-Thru Publisher: IBM Operating System: AIX HP NonStop HP-UX IBM i Linux variants OpenVMS Solaris Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2015-2808 Reference: ESB-2015.0962 ESB-2015.0961 ESB-2015.0960 ESB-2015.0958 ESB-2015.0956 ESB-2015.0955 ESB-2015.0954 ESB-2015.0953 ESB-2015.0950.2 ESB-2015.0949.2 ESB-2015.0948.2 ESB-2015.0947.2 ESB-2015.0946.2 ESB-2015.0944.2 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21883551 http://www-01.ibm.com/support/docview.wss?uid=swg21883553 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Vulnerability in RC4 stream cipher affects IBM WebSphere MQ (CVE-2015-2808) Security Bulletin Document information More support for: WebSphere MQ SSL Software version: 6.0, 7.0.1, 7.1, 7.5, 8.0 Operating system(s): AIX, HP NonStop, HP-UX, IBM i, Linux, OpenVMS, Solaris, Windows Software edition: All Editions Reference #: 1883551 Modified date: 2015-04-23 Summary The RC4 Bar Mitzvah Attack for SSL/TLS affects IBM WebSphere MQ. Vulnerability Details CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack". CVSS Base Score: 5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) Affected Products and Versions IBM WebSphere MQ v8.0 IBM WebSphere MQ v7.5 IBM WebSphere MQ v7.1 IBM WebSphere MQ v7.0.1 IBM WebSphere MQ v6.0 IBM MQ Appliance M2000 Remediation/Fixes None. Workarounds and Mitigations IBM strongly recommends immediately changing any channel definitions that use any of the following RC4 MQ CipherSpecs to use a stronger encryption algorithm; RC4_SHA_US TLS_RSA_WITH_RC4_128_SHA RC4_MD5_US TLS_RSA_WITH_RC4_128_MD5 RC4_56_SHA_EXPORT1024 RC4_MD5_EXPORT TLS_RSA_EXPORT_WITH_RC4_40_MD5 ECDHE_ECDSA_RC4_128_SHA256 ECDHE_RSA_RC4_128_SHA256 TLS_RSA_WITH_RC4_128_SHA256 Note that IBM may need to deprecate the use of weaker algorithms in response to a security vulnerability, for example MQ CipherSpecs which are not certified as FIPS 140-2 compliant via future product maintenance. Further details on the MQ CipherSpecs that are currently available can be found here. IBM WebSphere MQ for IBM i IBM recommends that customers review system value QSSLCSL to prevent the use of the RC4 cipher. IBM WebSphere MQ for UNIX, Linux, Windows & IBM MQ Appliance M2000 On other distributed platforms, enabling FIPS mode on a queue manager prevents weak ciphers including RC4 from being accepted by inbound connections and also from being used by outbound connections. You should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog http://www.ibm.com/support/docview.wss?uid=swg21699055 http://www.ibm.com/support/docview.wss?uid=swg21687433 Change History 23 April 2015 - Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - ------------------------------------------------------------------------------ Security Bulletin: Vulnerability in RC4 stream cipher affects IBM WebSphere MQ Internet Pass-Thru (CVE-2015-2808) Security Bulletin Document information More support for: WebSphere MQ MQIPT Software version: 2.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Software edition: All Editions Reference #: 1883553 Modified date: 2015-04-23 Summary The RC4 Bar Mitzvah Attack for SSL/TLS affects IBM WebSphere MQ Internet Pass-Thru. Vulnerability Details CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack". CVSS Base Score: 5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) Affected Products and Versions IBM WebSphere MQ Internet Pass-Thru - Support Pac MS81 Workarounds and Mitigations IBM strongly recommends immediately changing any routes that use any of the following RC4 CipherSuites or do not explicitly specify a CipherSuite to use a stronger encryption algorithm; SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_RC4_128_MD5 SSL_DHE_DSS_WITH_RC4_128_SHA SSL_ECDH_anon_WITH_RC4_128_SHA SSL_ECDH_ECDSA_WITH_RC4_128_SHA SSL_ECDH_RSA_WITH_RC4_128_SHA SSL_ECDHE_ECDSA_WITH_RC4_128_SHA SSL_ECDHE_RSA_WITH_RC4_128_SHA SSL_KRB5_EXPORT_WITH_RC4_40_MD5 SSL_KRB5_EXPORT_WITH_RC4_40_SHA SSL_KRB5_WITH_RC4_128_MD5 SSL_KRB5_WITH_RC4_128_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA Note that IBM may need to deprecate the use of weaker algorithms in response to a security vulnerability. You should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions. Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog http://www.ibm.com/support/docview.wss?uid=swg21687433 Change History 23 April 2015 - Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVTmXiBLndAQH1ShLAQLAXA/7BSz7FHWwDI+Jr65B9/WIX3Yu1hCbT/bL te34dkNR46kloq9SIzDloHlW/bR6EgkUw3mTiLH9pfaBixyScAxDzZ4KGwtjmPoM 11LA9dKL4xsYMhEONvyFgqqCqRP70cM0ldGHA2YVrkrhv20adN4m1iEij6QPe7JS vCG1olpHYvBs4uUgnvQ0g78Ql2lqa0ThZjM5IUgL/zqdB9azSBztPii/V3ncn/eQ FtZuuzux67klIiZ0LH2CVl1xXsfU0u5+ssQxjblt1oS63s43chMTra8hbMY385wI /jVPjeFBOF0IY+h0URye4+KcCKA4YyYd/PGC7eAOExiW4MtFfgKf5RAfSL8W8sHx zreBP5PYfF6BVw76/ZjorSRICtGBWiMdcxLKZFkQn+cr8ZPXODIgpJnUkaIcY3xc t8v1Buwq/5U71I4k3ZFzLlCeFUfGJ1wOm3bR9ybpH6lHqNWfIqj/tAdXQX7U6HR8 /lnwem1LmMHbcm7jOWPuDUv5jDbzo8O7XPT2+q4FiW3zgVlV2Gx0cavD0+V706GD 88cc7L6xwA1zHof1LlsUBrb1SxkTPbKMQtEEWmmhHJIrrwNs1pKwVYYItV0utbAr DTvfz3N9Z/TqxPHDUs4pGXnq55dp6d/QJMajB+kZO+Rfm/WFbxtfFxcKzN8z24kK vfcc9J8TCkU= =6l4H -----END PGP SIGNATURE-----