Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1126
A vulnerability has been identified in IBM WebSphere MQ and
IBM WebSphere MQ Internet Pass-Thru
24 April 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere MQ
IBM WebSphere MQ Internet Pass-Thru
Publisher: IBM
Operating System: AIX
HP NonStop
HP-UX
IBM i
Linux variants
OpenVMS
Solaris
Windows
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2015-2808
Reference: ESB-2015.0962
ESB-2015.0961
ESB-2015.0960
ESB-2015.0958
ESB-2015.0956
ESB-2015.0955
ESB-2015.0954
ESB-2015.0953
ESB-2015.0950.2
ESB-2015.0949.2
ESB-2015.0948.2
ESB-2015.0947.2
ESB-2015.0946.2
ESB-2015.0944.2
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21883551
http://www-01.ibm.com/support/docview.wss?uid=swg21883553
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Vulnerability in RC4 stream cipher affects IBM WebSphere MQ
(CVE-2015-2808)
Security Bulletin
Document information
More support for:
WebSphere MQ
SSL
Software version:
6.0, 7.0.1, 7.1, 7.5, 8.0
Operating system(s):
AIX, HP NonStop, HP-UX, IBM i, Linux, OpenVMS, Solaris, Windows
Software edition:
All Editions
Reference #:
1883551
Modified date:
2015-04-23
Summary
The RC4 Bar Mitzvah Attack for SSL/TLS affects IBM WebSphere MQ.
Vulnerability Details
CVEID: CVE-2015-2808
DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol,
could allow a remote attacker to obtain sensitive information. An attacker
could exploit this vulnerability to remotely expose account credentials
without requiring an active man-in-the-middle session. Successful exploitation
could allow an attacker to retrieve credit card data or other sensitive
information. This vulnerability is commonly referred to as "Bar Mitzvah
Attack".
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM WebSphere MQ v8.0
IBM WebSphere MQ v7.5
IBM WebSphere MQ v7.1
IBM WebSphere MQ v7.0.1
IBM WebSphere MQ v6.0
IBM MQ Appliance M2000
Remediation/Fixes
None.
Workarounds and Mitigations
IBM strongly recommends immediately changing any channel definitions that use
any of the following RC4 MQ CipherSpecs to use a stronger encryption
algorithm;
RC4_SHA_US
TLS_RSA_WITH_RC4_128_SHA
RC4_MD5_US
TLS_RSA_WITH_RC4_128_MD5
RC4_56_SHA_EXPORT1024
RC4_MD5_EXPORT
TLS_RSA_EXPORT_WITH_RC4_40_MD5
ECDHE_ECDSA_RC4_128_SHA256
ECDHE_RSA_RC4_128_SHA256
TLS_RSA_WITH_RC4_128_SHA256
Note that IBM may need to deprecate the use of weaker algorithms in response
to a security vulnerability, for example MQ CipherSpecs which are not
certified as FIPS 140-2 compliant via future product maintenance.
Further details on the MQ CipherSpecs that are currently available can be
found here.
IBM WebSphere MQ for IBM i
IBM recommends that customers review system value QSSLCSL to prevent the use
of the RC4 cipher.
IBM WebSphere MQ for UNIX, Linux, Windows & IBM MQ Appliance M2000
On other distributed platforms, enabling FIPS mode on a queue manager prevents
weak ciphers including RC4 from being accepted by inbound connections and also
from being used by outbound connections.
You should verify applying this configuration change does not cause any
compatibility issues. Not disabling the RC4 stream cipher will expose yourself
to the attack described above. IBM recommends that you review your entire
environment to identify other areas where you have enabled the RC4 stream
cipher and take appropriate mitigation and remediation actions.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site. Security and integrity APARs and associated fixes
will be posted to this portal. IBM suggests reviewing the CVSS scores and
applying all security or integrity fixes as soon as possible to minimize any
potential risk.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
http://www.ibm.com/support/docview.wss?uid=swg21699055
http://www.ibm.com/support/docview.wss?uid=swg21687433
Change History
23 April 2015 - Original Version Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ------------------------------------------------------------------------------
Security Bulletin: Vulnerability in RC4 stream cipher affects IBM WebSphere MQ
Internet Pass-Thru (CVE-2015-2808)
Security Bulletin
Document information
More support for:
WebSphere MQ
MQIPT
Software version:
2.1
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Software edition:
All Editions
Reference #:
1883553
Modified date:
2015-04-23
Summary
The RC4 Bar Mitzvah Attack for SSL/TLS affects IBM WebSphere MQ Internet
Pass-Thru.
Vulnerability Details
CVEID: CVE-2015-2808
DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol,
could allow a remote attacker to obtain sensitive information. An attacker
could exploit this vulnerability to remotely expose account credentials
without requiring an active man-in-the-middle session. Successful exploitation
could allow an attacker to retrieve credit card data or other sensitive
information. This vulnerability is commonly referred to as "Bar Mitzvah
Attack".
CVSS Base Score: 5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current
score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM WebSphere MQ Internet Pass-Thru - Support Pac MS81
Workarounds and Mitigations
IBM strongly recommends immediately changing any routes that use any of the
following RC4 CipherSuites or do not explicitly specify a CipherSuite to use a
stronger encryption algorithm;
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DHE_DSS_WITH_RC4_128_SHA
SSL_ECDH_anon_WITH_RC4_128_SHA
SSL_ECDH_ECDSA_WITH_RC4_128_SHA
SSL_ECDH_RSA_WITH_RC4_128_SHA
SSL_ECDHE_ECDSA_WITH_RC4_128_SHA
SSL_ECDHE_RSA_WITH_RC4_128_SHA
SSL_KRB5_EXPORT_WITH_RC4_40_MD5
SSL_KRB5_EXPORT_WITH_RC4_40_SHA
SSL_KRB5_WITH_RC4_128_MD5
SSL_KRB5_WITH_RC4_128_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
Note that IBM may need to deprecate the use of weaker algorithms in response
to a security vulnerability.
You should verify applying this configuration change does not cause any
compatibility issues. Not disabling the RC4 stream cipher will expose yourself
to the attack described above. IBM recommends that you review your entire
environment to identify other areas where you have enabled the RC4 stream
cipher and take appropriate mitigation and remediation actions.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
http://www.ibm.com/support/docview.wss?uid=swg21687433
Change History
23 April 2015 - Original Version Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVTmXiBLndAQH1ShLAQLAXA/7BSz7FHWwDI+Jr65B9/WIX3Yu1hCbT/bL
te34dkNR46kloq9SIzDloHlW/bR6EgkUw3mTiLH9pfaBixyScAxDzZ4KGwtjmPoM
11LA9dKL4xsYMhEONvyFgqqCqRP70cM0ldGHA2YVrkrhv20adN4m1iEij6QPe7JS
vCG1olpHYvBs4uUgnvQ0g78Ql2lqa0ThZjM5IUgL/zqdB9azSBztPii/V3ncn/eQ
FtZuuzux67klIiZ0LH2CVl1xXsfU0u5+ssQxjblt1oS63s43chMTra8hbMY385wI
/jVPjeFBOF0IY+h0URye4+KcCKA4YyYd/PGC7eAOExiW4MtFfgKf5RAfSL8W8sHx
zreBP5PYfF6BVw76/ZjorSRICtGBWiMdcxLKZFkQn+cr8ZPXODIgpJnUkaIcY3xc
t8v1Buwq/5U71I4k3ZFzLlCeFUfGJ1wOm3bR9ybpH6lHqNWfIqj/tAdXQX7U6HR8
/lnwem1LmMHbcm7jOWPuDUv5jDbzo8O7XPT2+q4FiW3zgVlV2Gx0cavD0+V706GD
88cc7L6xwA1zHof1LlsUBrb1SxkTPbKMQtEEWmmhHJIrrwNs1pKwVYYItV0utbAr
DTvfz3N9Z/TqxPHDUs4pGXnq55dp6d/QJMajB+kZO+Rfm/WFbxtfFxcKzN8z24kK
vfcc9J8TCkU=
=6l4H
-----END PGP SIGNATURE-----