IBM Support

IT32317: SPECTRUM PROTECT FOR VIRTUAL ENVIRONMENTS VULNERABLE TO LOGJAM (CVE-2015-4000)

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The port 9081 used by the Spectrum Protect for Virtual
Environments GUI is reported as being vulnerable to Logjam
(CVE-2015-4000)

Spectrum Protect Versions Affected:
All supported versions of IBM Spectrum Protect for Virtual
Environments - Data Protection for VMware on Linux and Windows,
See APAR IT31577

IBM Spectrum Protect for Virtual Environments - Data Protection
For Hyper-V 8.1.4 and higher on Windows, see APAR IT32315

All supported versions of IBM Spectrum Protect Backup-Archive
web user interface on:
8.1.7 on Linux x86 and Windows
8.1.8 on Linux Power LE and Linux z
8.1.9 on AIX
see APAR IT32317

Initial Impact: Medium

Additional Keywords: TS003074169, java, cve, logjam, ssl,
security, vulnerability, IT30213

Local fix

  • As a workaround, create and change the Spectrum Protect for
Virtual Environments java & webserver configuration files as
follows with an Administrator account on Windows and from a root
 owned terminal on Linux :

Example for Linux platform :
1. Go to the webserver profile directory:
   $ cd
/opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfile
/
2. Under this directory, create a JVM security option file
('jvm.security') and on Linux, update the user and permissions
to have:
   $ ls -l jvm.security
   -rwxrwxr-x 1 tdpvmware tdpvmware   jvm.security
4. update the empty file to add following lines :
   jdk.certpath.disabledAlgorithms=MD2,MD5,SHA1 usage TLSServer
TLSClient SignedJAR, RSA keySize < 1024, DSA keySize < 1024, EC
keySize < 256, DSS
   jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize
< 2048,  EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4,
MD5, SHA1, SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_256_CBC_SHA256,
SSL_RSA_WITH_AES_128_GCM_SHA256,
SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL
5. Update the existing JVM option file
('/opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfi
le/jvm.options') to have the following lines:
   #-Dcom.ibm.jsse2.sp800-131=transition
   -Dcom.ibm.jsse2.sp800-131=strict

-Djava.security.properties=file:/opt/tivoli/tsm/tdpvmware/common
/webserver/usr/servers/veProfile/jvm.security
   -Djdk.tls.ephemeralDHKeySize=2048
   -Djdk.tls.rejectClientInitiatedRenegotiation=true

   I.e. comment out the existing
"-Dcom.ibm.jsse2.sp800-131=transition" setting and place the
above mentioned "strict" settings instead.
6. Update the existing webserver server configuration file
('/opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfi
le/server.xml') as follows:
   replace of the following ssl XML element:
      <ssl enabledCiphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA" id="veSSLConfig"
keyStoreRef="defaultKeyStore" sslProtocol="SSL_TLSv2"/>
   with the following one:
      <ssl id="veSSLConfig" keyStoreRef="defaultKeyStore"
sslProtocol="TLSv1.2"/>
7. Then, restart the webserver:
   $ service webserver restart

For the Windows platform, the same files need to be
created/updated and are located in
C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile.

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* IBM Spectrum Protect backup-archive web user interface on:   *
* V8.1.7 running on Linux x86 and Windows                      *
* V8.1.8 running on Linux Power LE and Linux z                 *
* V8.1.9 running on AIX                                        *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See ERROR DESCRIPTION.                                       *
* For more information, refer to the security bulletin at this *
* link: https://www.ibm.com/support/pages/node/6245366         *
****************************************************************
* RECOMMENDATION:                                              *
* Apply fixing level when available. This problem is projected *
* to be fixed in the backup-archive web user interface level   *
* 8.1.10 on all Linux, AIX and Windows platforms.              *
* Note that this is subject to change at the discretion of     *
* IBM.                                                         *
****************************************************************

Problem conclusion

  • The problem has been fixed so that it no longer occurs.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT32317
    • 

  • Reported component name
    TSM CLIENT
    • 

  • Reported component ID
    5698ISMCL
    • 

  • Reported release
    81W
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-03-26
    • 

  • Closed date
    2020-03-26
    • 

  • Last modified date
    2020-07-16
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
IT31577
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TSM CLIENT
    • 

  • Fixed component ID
    5698ISMCL
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81W"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            13 February 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback