Australia's Leading Computer Emergency Response Team

ESB-2009.1667 - [Win][Linux][HP-UX][AIX] IBM SDK for Java: Unauthorised access - Remote/unauthenticated
Date: 22 December 2009
Original URL: http://www.auscert.org.au/render.html?cid=1980&it=12152
References: ASB-2009.1125.2  

Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1667
   Transport Layer Security (TLS) handshake renegotiation weak security
                             22 December 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM SDK for Java
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Windows
                   i5/OS
                   z/OS
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
                   Denial of Service   -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-3555  

Reference:         ASB-2009.1125.2

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21415080

- --------------------------BEGIN INCLUDED TEXT--------------------

Transport Layer Security (TLS) handshake renegotiation weak security 
CVE-2009-3555

Flash (Alert)

Abstract

All customers using IBM SDK for Java relying on Secure Socket Layer v3 (SSLv3) 
or any of the multiple versions of Transport Layer Security (TLS) in support 
of secure communications between a client and server or between server and 
server are impacted by a recently discovered weakness in the TLS and SSL v3 
protocols. SSLv2 is not affected.

Content

The TLS/SSL weakness exists in multiple implementations of the Transport Layer 
Security (TLS) protocol, including SSL.

To address the weakness in the TLS/SSL handshake renegotiation, IBM, along with 
the other members in the Industry Consortium for the Advancement of Security 
on the Internet (ICASI), are working together with the Internet Engineering 
Task Force (IETF) to enhance and strengthen the handshake renegotiation 
protocol in the TLS specification. This effort will take some time to complete. 
The delivery outlook for inclusion of this enhanced handshake renegotiation 
capability in TLS protocol implementations is unknown at this time.

In the interim, the IBM SDK for Java is delivering a fix to allow an 
installation to disable the TLS handshake renegotiation. The TLS handshake 
renegotiation is rarely used. Disabling the TLS handshake renegotiation will 
block a remote attacker from attempting to exploit the weakness in the TLS 
protocol. After installing this fix, the default setting will disable the 
TLS handshake renegotiation. The fix also provides an option to re-enable 
renegotiation if warranted. TLS handshake renegotiation should be 
re-enabled only if absolutely necessary and with a clear understanding and 
acceptance of the potential security risks.

IBM Java Secure Socket Extensions (JSSE) includes TLS support. If your Java 
application uses JSSE for secure communication, you can disable TLS 
renegotiation by installing APAR IZ65239. After installing JSSE APAR IZ65239, 
the following properties are added:

com.ibm.jsse2.renegotiate=[ALL | NONE | ABBREVIATED]

      ALL: allow both abbreviated and unabbreviated (full) renegotiation 
      handshakes.
      NONE: allow no renegotiation handshakes. This option is the new default 
      setting.
      ABBREVIATED: allow only abbreviated renegotiation handshakes.


It is the recommendation of IBM to install all Security and System Integrity 
PTFs applicable to z/OS and any installed FMIDs. To determine whether PTFs are 
needed, customers should follow normal procedures in obtaining 
security/integrity PTFs from IBM for z/OS. The IBM System z policy restricts 
distribution of security and system integrity APARs to reduce the risk of 
exposure. Customer representatives who have been authorized for System z 
Security Access can obtain Security/Integrity information, including SMP/E 
Enhanced HOLD DATA, for all security/integrity APARs. Please see the URL 
http://www.vm.ibm.com/devpages/spera/aparinfo.html for details on the 
procedures authorizing access to IBM System z security/integrity 
information. Security/integrity service information should be checked on a 
regular basis and PTFs applied as soon as possible to eliminate potential 
risks.

If your Java application or IBM i leverages IBM JSSE and i System SSL. Fixes 
for security vulnerabilities identified to be applicable to IBM i are available 
in a Security PTF group as well as the HIPER PTF group. The PTF groups can be 
viewed at the Preventive Service Planning - PSP web site 
http://www-912.ibm.com/s_dir/sline003.NSF/GroupPTFs?OpenView&view=GroupPTFs. 
Expand the release to see groups, including Group Security.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLL/8kNVH5XJJInbgRAuuxAJsGCVbgJ7Uyiassyiy3ynXt8JON8ACfYNE9
bTu9I9oOSz4L1sorV55eces=
=o2Eb
-----END PGP SIGNATURE-----