APAR status
Closed as program error.
Error description
The port 9081 used by the Spectrum Protect GUI is reported as being vulnerable to Logjam (CVE-2015-4000) Spectrum Protect Versions Affected: All supported versions of IBM Spectrum Protect for Virtual Environments - Data Protection for VMware on Linux and Windows See APAR IT31577 IBM Spectrum Protect for Virtual Environments - Data Protection for Hyper-V 8.1.4 and higher on Windows, see APAR IT32315 All supported versions of IBM Spectrum Protect Backup-Archive web user interface on: 8.1.7 on Linux x86 and Windows 8.1.8 on Linux Power LE and Linux z 8.1.9 on AIX see APAR IT32317 Initial Impact: Medium Additional Keywords: TS003074169, java, cve, logjam, ssl, security, vulnerability, IT30213
Local fix
As a workaround, create and change the Spectrum Protect java & webserver configuration files as follows with an Administrator account on Windows and from a root owned terminal on Linux : Example for Linux platform : 1. Go to the webserver profile directory: $ cd /opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfile / 2. Under this directory, create a JVM security option file ('jvm.security') and on Linux, update the user and permissions to have: $ ls -l jvm.security -rwxrwxr-x 1 tdpvmware tdpvmware jvm.security 4. update the empty file to add following lines : jdk.certpath.disabledAlgorithms=MD2,MD5,SHA1 usage TLSServer TLSClient SignedJAR, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 256, DSS jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize < 2048, EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4, MD5, SHA1, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL 5. Update the existing JVM option file ('/opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfi le/jvm.options') to have the following lines: #-Dcom.ibm.jsse2.sp800-131=transition -Dcom.ibm.jsse2.sp800-131=strict -Djava.security.properties=file:/opt/tivoli/tsm/tdpvmware/common /webserver/usr/servers/veProfile/jvm.security -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.rejectClientInitiatedRenegotiation=true I.e. comment out the existing "-Dcom.ibm.jsse2.sp800-131=transition" setting and place the above mentioned "strict" settings instead. 6. Update the existing webserver server configuration file ('/opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfi le/server.xml') as follows: replace of the following ssl XML element: <ssl enabledCiphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA" id="veSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL_TLSv2"/> with the following one: <ssl id="veSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2"/> 7. Then, restart the webserver: $ service webserver restart For the Windows platform, the same files need to be created/updated and are located in C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile.
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Protect for Virtual Environments Data * * Protection for VMware versions 7.1 and 8.1 running on all * * Microsoft Windows x64 and Linux x86_64 platforms. * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION. * * For more information, refer to the security bulletin at this * * link: https://www.ibm.com/support/pages/node/6245366 * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is projected * * to be fixed in the Data Protection for VMware Web GUI levels * * 7.1.8.9 and 8.1.10 on Windows x64 and Linux x86_64 * * platforms. Note that this is subject to change at the * * discretion of IBM. * ****************************************************************
Problem conclusion
The problem has been fixed so that it no longer occurs.
Temporary fix
Comments
APAR Information
APAR number
IT31577
Reported component name
TSM FOR VE DP V
Reported component ID
5725TVEVM
Reported release
81W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-01-20
Closed date
2020-03-26
Last modified date
2020-07-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
GUI
Fix information
Fixed component name
TSM FOR VE DP V
Fixed component ID
5725TVEVM
Applicable component levels
[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SS8TDQ","label":"Tivoli Storage Manager for Virtual Environments"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81W"}]
Document Information
Modified date:
14 February 2021