News & Media
Become a member »
» ESB-2009.1667 - [Win][Linux][HP-UX][AIX] IBM SDK for...
ESB-2009.1667 - [Win][Linux][HP-UX][AIX] IBM SDK for Java: Unauthorised access - Remote/unauthenticated
22 December 2009
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1667 Transport Layer Security (TLS) handshake renegotiation weak security 22 December 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM SDK for Java Publisher: IBM Operating System: AIX HP-UX Linux variants Windows i5/OS z/OS Impact/Access: Unauthorised Access -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2009-3555 Reference: ASB-2009.1125.2 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21415080 - --------------------------BEGIN INCLUDED TEXT-------------------- Transport Layer Security (TLS) handshake renegotiation weak security CVE-2009-3555 Flash (Alert) Abstract All customers using IBM SDK for Java relying on Secure Socket Layer v3 (SSLv3) or any of the multiple versions of Transport Layer Security (TLS) in support of secure communications between a client and server or between server and server are impacted by a recently discovered weakness in the TLS and SSL v3 protocols. SSLv2 is not affected. Content The TLS/SSL weakness exists in multiple implementations of the Transport Layer Security (TLS) protocol, including SSL. To address the weakness in the TLS/SSL handshake renegotiation, IBM, along with the other members in the Industry Consortium for the Advancement of Security on the Internet (ICASI), are working together with the Internet Engineering Task Force (IETF) to enhance and strengthen the handshake renegotiation protocol in the TLS specification. This effort will take some time to complete. The delivery outlook for inclusion of this enhanced handshake renegotiation capability in TLS protocol implementations is unknown at this time. In the interim, the IBM SDK for Java is delivering a fix to allow an installation to disable the TLS handshake renegotiation. The TLS handshake renegotiation is rarely used. Disabling the TLS handshake renegotiation will block a remote attacker from attempting to exploit the weakness in the TLS protocol. After installing this fix, the default setting will disable the TLS handshake renegotiation. The fix also provides an option to re-enable renegotiation if warranted. TLS handshake renegotiation should be re-enabled only if absolutely necessary and with a clear understanding and acceptance of the potential security risks. IBM Java Secure Socket Extensions (JSSE) includes TLS support. If your Java application uses JSSE for secure communication, you can disable TLS renegotiation by installing APAR IZ65239. After installing JSSE APAR IZ65239, the following properties are added: com.ibm.jsse2.renegotiate=[ALL | NONE | ABBREVIATED] ALL: allow both abbreviated and unabbreviated (full) renegotiation handshakes. NONE: allow no renegotiation handshakes. This option is the new default setting. ABBREVIATED: allow only abbreviated renegotiation handshakes. It is the recommendation of IBM to install all Security and System Integrity PTFs applicable to z/OS and any installed FMIDs. To determine whether PTFs are needed, customers should follow normal procedures in obtaining security/integrity PTFs from IBM for z/OS. The IBM System z policy restricts distribution of security and system integrity APARs to reduce the risk of exposure. Customer representatives who have been authorized for System z Security Access can obtain Security/Integrity information, including SMP/E Enhanced HOLD DATA, for all security/integrity APARs. Please see the URL http://www.vm.ibm.com/devpages/spera/aparinfo.html for details on the procedures authorizing access to IBM System z security/integrity information. Security/integrity service information should be checked on a regular basis and PTFs applied as soon as possible to eliminate potential risks. If your Java application or IBM i leverages IBM JSSE and i System SSL. Fixes for security vulnerabilities identified to be applicable to IBM i are available in a Security PTF group as well as the HIPER PTF group. The PTF groups can be viewed at the Preventive Service Planning - PSP web site http://www-912.ibm.com/s_dir/sline003.NSF/GroupPTFs?OpenView&view=GroupPTFs. Expand the release to see groups, including Group Security. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLL/8kNVH5XJJInbgRAuuxAJsGCVbgJ7Uyiassyiy3ynXt8JON8ACfYNE9 bTu9I9oOSz4L1sorV55eces= =o2Eb -----END PGP SIGNATURE-----
Comments? Click here