-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.1187
           Security Bulletin: Vulnerability in RC4 stream cipher
              affects InfoSphere BigInsights (CVE-2015-2808)
                               30 April 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM InfoSphere BigInsights
Publisher:         IBM
Operating System:  Red Hat
                   SUSE
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-2808  

Reference:         ESB-2015.1183
                   ESB-2015.1168
                   ESB-2015.1166
                   ESB-2015.1160
                   ESB-2015.1159
                   ESB-2015.1156
                   ESB-2015.1155

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21883618

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerability in RC4 stream cipher affects InfoSphere 
BigInsights (CVE-2015-2808)

Document information

More support for:

InfoSphere BigInsights

Software version:

2.0.0, 2.1.0, 2.1.1, 2.1.2, 3.0, 3.0.0.1, 3.0.0.2, 4.0.0

Operating system(s):

Linux Red Hat - pSeries, Linux Red Hat - xSeries, Linux SUSE - xSeries

Software edition:

Basic Edition, Community Edition, Enterprise Edition, Quick Start Edition

Reference #:

1883618

Modified date:

2015-04-29

Security Bulletin

Summary

The RC4 Bar Mitzvah Attack for SSL/TLS affects InfoSphere BigInsights.

Vulnerability Details

CVEID: CVE-2015-2808

DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol,
could allow a remote attacker to obtain sensitive information. An attacker 
could exploit this vulnerability to remotely expose account credentials 
without requiring an active man-in-the-middle session. Successful exploitation
could allow an attacker to retrieve credit card data or other sensitive 
information. This vulnerability is commonly referred to as "Bar Mitzvah 
Attack".

CVSS Base Score: 5

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Customers who have Secure Sockets Layer (SSL) support enabled for any of the 
BigInsights components.

IBM InfoSphere BigInsights 2.0, 2.1, 2.1.2, 3.0, 3.0.0.1, 3.0.0.2, 4.0

Remediation/Fixes

For versions 2.1.2, 2.1, and 2.0: Apply the Interim fix which will remove RC4
cipher suites from the default list of enabled cipher suites. After 
downloading the BigInsights IBM Java version 1.6 Service Refresh 16 Fix Pack 3
from fixcentral perform the following steps to replace the default JDK as 
BigInsights Administrator:

Steps below assume that the new JDK is ibm-java-sdk-6.0-16.3-linux-x86_64.tgz,
and the current JDK is ibm-java-sdk-6.0-12.0-linux-x86_64.tgz. Replace the 
file names with the version of the new JDK for your platform and with the 
current version installed on your system.

1. Stop InfoSphere BigInsights: $BIGINSIGHTS_HOME/bin/stop-all.sh

2. Upload the new IBM JDK to console node in the $BIGINSIGHTS_HOME directory

3. Run the following commands on the BigInsights console node:

    cd $BIGINSIGHTS_HOME
 
    mv jdk/ jdk_orig

    sudo chmod 777 ibm-java-sdk-6.0-16.3-linux-x86_64.tgz

    sudo chown biadmin:biadmin ibm-java-sdk-6.0-16.3-linux-x86_64.tgz

    tar zxvf ibm-java-sdk-6.0-16.3-linux-x86_64.tgz

    mv ibm-java-x86_64-60 jdk

    mv $BIGINSIGHTS_HOME/hdm/jdk $BIGINSIGHTS_HOME/hdm/jdk_orig

    cp -r $BIGINSIGHTS_HOME/jdk $BIGINSIGHTS_HOME/hdm/

4. Run the following command from console node against all other nodes in the 
   cluster ( node is the name of the non-console node)

    ssh node "mv $BIGINSIGHTS_HOME/jdk $BIGINSIGHTS_HOME/jdk_orig"

    scp -r $BIGINSIGHTS_HOME/jdk node:$BIGINSIGHTS_HOME/

5. Run the following commands on the console node:

    cd $BIGINSIGHTS_HOME/hdm/artifacts

    mv ibm-java-sdk-6.0-12.0-linux-x86_64.tgz ibm-java-sdk-6.0-12.0-linux-x86_64.tgz_orig

    cp $BIGINSIGHTS_HOME/ibm-java-sdk-6.0-16.3-linux-x86_64.tgz ibm-java-sdk-6.0-12.0-linux-x86_64.tgz

    cd $BIGINSIGHTS_HOME/hdm/todeploy

    mv jdk.tar.gz jdk.tar.gz_orig

    mv jdk.tar.gz.cksum jdk.tar.gz.cksum_orig

    syncconf.sh

    cp jdk.tar.gz.cksum $BIGINSIGHTS_HOME/jdk/.deploy.cksum

    For each node ( where node is the name of the non-console node) :

      scp $BIGINSIGHTS_HOME/jdk/.deploy.cksum node:$BIGINSIGHTS_HOME/jdk/.deploy.cksum

6. Sync configuration, and restart the BigInsights:

    $BIGINSIGHTS_HOME/bin/sysncconf.sh

    $BIGINSIGHTS_HOME/bin/start-all.sh

    $BIGINSIGHTS_HOME/bin/healthcheck.sh

For other versions affected by this vulnerability, follow the instuctions in 
the mitigation section.

Workarounds and Mitigations

This vulnerability can be mitigated by disabling RC4 in the IBM Java security
file, and enable FIPS mode in the LDAP security plugin-in configuration file 
for Big SQL.

For versions 3.0, 3.0.0.1, 3.0.0.2

Follow the mitigation instruction below as BigInsights Administrator to 
disable RC4 in IBM Java:

1. Stop InfoSphere BigInsights: $BIGINSIGHTS_HOME/bin/stop-all.sh

2. On console node update the java.security file to turn off RC4

   Locate the java.security file on console node under 
   $BIGINSIGHTS_HOME/hdm/jdk/jre/lib/security/java.security

   Edit the java.security file and turn off RC4 by adding: 
   jdk.tls.disabledAlgorithms=SSLv3,RC4

3. Recreate jdk.tar.gz to include the new version of the java.security file on 
   the console node

   cd $BIGINSIGHTS_HOME/hdm/todeploy

   mv jdk.tar.gz jdk.tar.gz.orig

   mv jdk.tar.gz.cksum jdk.tar.gz.cksum.orig

   syncconf.sh

   cp $BIGINSIGHTS_HOME/hdm/todeploy/jdk.tar.gz.cksum  $BIGINSIGHTS_HOME/jdk/.deploy.cksum

4. Run the following command from console node against all other nodes in the 
   cluster ( node is the name of the non-console node)

   ssh node mv $BIGINSIGHTS_HOME/jdk/.deploy.cksum $BIGINSIGHTS_HOME/jdk/.deploy.cksum.orig

   scp $BIGINSIGHTS_HOME/jdk/.deploy.cksum node:$BIGINSIGHTS_HOME/jdk/.deploy.cksum

5. On each node:

   Locate the java.security file used by the BigInsights: $BIGINSIGHTS_HOME/jdk/jre/lib/security/java.security

Edit the java.security file and turn off RC4 by adding: 
jdk.tls.disabledAlgorithms=SSLv3,RC4

6. Restart BigInsights: $BIGINSIGHTS_HOME/bin/start-all.sh

For versions 3.0, 3.0.0.1, 3.0.0.2, and 4.0

Customers who have Secure Sockets Layer (SSL) support enabled in their client
configuration using LDAP security plug-in to communicate with LDAP server for
Big SQL should follow the instructions below to mitigate the problem. SSL 
support is not enabled in LDAP security plug-in by default.

Mitigation instructions:

Customers should enable FIPS mode in LDAP security plugin-in as follows:

1. As the Big SQL instance owner, open up the LDAP security plugin-in 
   configuration file The default name and location for the IBM LDAP security 
   plug-in configuration file is:

   "BIGSQL_HOME/sqllib/cfg/IBMLDAPSecurity.ini .

2. Optionally, it could be resided in the location defined by the 
   DB2LDAPSecurityConfig environment variable

   Search for the FIPS_MODE configuration parameter in the file and change its 
   value to true. Save and close the file.

   ; FIPS_MODE

   ; To set SSL encryption FIPS mode on or off.

   ; Optional; Valid values are true (on) and false (off). Defaults to

   ; false (FIPS mode off).

     FIPS_MODE = true

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support 
alerts like this.

References

Complete CVSS Guide

On-line Calculator V2

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

April 28, 2015: Original Version Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVUF/oRLndAQH1ShLAQJo6g/9Fb8oAwNT9zpMF82zNWtb4UlgCXcO/72p
xLqQ/ayxTOXDxk33D3u1r5DM1p8aJI+tr5etoyTpt/yPIDJf6VYS53cUY99skFGx
nTvpVmZK8mzWhoCpm0lxzZmpcPJIlESMDDXNbCjD+1bXklVXF3ipXWhYugF1kOPq
XGUURPLqdjYHYQA4pbaW6jKpkbiUvDUObFD0l64JsiBGntN0J/skBN715mDyLaC0
SLPRrPyw9nljQNz+Q+L2EV2pI3i+EcXdfiAXHcxTiVnMKZPjXieM+dUglzAoWdS7
YO/tHQGbrlQ6kSjuzfvJIxe8L7vQnQeto8aCD4+tYLvMHZ2kNIeWkumadWT0Td1D
IDMSGHHfJ0o2X4DgXGq8DvO24yHgA3UiMuOCtsQxooXA0z1AHapvwfvg9YOxvA/l
uL5okmZ6J5eOhAlbzJkEJBYNr9iUgrochtAVy82SZh7i21efWszbnji4n1o0DYay
cMoT3idKk+PaLIFpKm3nSMwBGiAP2tyl3FZVQFolOY2DLT+bhHrr+uHTG+XxUMHF
mml5KvH2nBT3gvvHbJ+/8EkX1AwOd6jr+hiHk6HZB3pxuscpNMPBKlkBa40gPCCY
l+af5cu96WlWvCgEBuCpMVCRqFgDuAXtaAmb9dzOvSQSOi5EE9tbpF3wuL2dxs8s
VnFLzP9kMsE=
=ZpA1
-----END PGP SIGNATURE-----