Workarounds and Mitigations

IBM Integration Bus V9 and V10

a) IBM Java 7 shipped with IBM Integration Bus has RC4 enabled by default and is therefore vulnerable. The vulnerability can be mitigated by disabling RC4 which can be achieved by following 'Instructions to disable RC4 in Java 7' given below.
After disabling the RC4 ciphers if you decide to use CBC ciphers you should follow the steps outlined in 'Using CBC ciphers' given below.

b) If you use the DataDirect ODBC V7.x drivers shipped with WebSphere Message Broker
The SSL library shipped with the ODBC drivers is vulnerable. The RC4 ciphers are in the acceptable cipher list by default. To mitigate this vulnerability you can configure the drivers to exclude RC4 ciphers from the list of negotiated ciphers by following 'Instructions to disable RC4 in DataDirect drivers' given below.

WebSphere Message Broker V7 and V8

a) After disabling the RC4 ciphers by applying the APAR fix if you then decide to use CBC ciphers you should follow the steps outlined in 'Using CBC ciphers' given below.

b) If you use the DataDirect ODBC V7.x drivers shipped with WebSphere Message Broker
The SSL library shipped with the ODBC drivers is vulnerable. The RC4 ciphers are in the acceptable cipher list by default. To mitigate this vulnerability you can configure the drivers to exclude RC4 ciphers from the list of negotiated ciphers by following 'Instructions to disable RC4 in DataDirect drivers' given below.

WebSphere Message Broker Toolkit V7 and V8

WebSphere Message Broker Toolkit Versions 7.0 and V8.0 by default disable the RC4 stream cipher for broker administration and are not vulnerable. To remain protected in all cases you should NOT enable weak or export-level cipher suites or select an RC4 cipher when connecting to the Broker's Queue Manager. If you enable the RC4 stream cipher you are vulnerable.

To use a TLS cipher to connect to the Queue Manager, you must apply a fixpack or ifix containing APAR IT05725. APAR IT05725 is planned for inclusion in 7.0.0.8 and 8.0.0.5 Interim Fix 001.

If you choose to use CBC ciphers in place of the RC4 ciphers you should follow the steps outlined in 'Using CBC ciphers' given below.

IBM Integration Toolkit V9

IBM Integration Toolkit V9.0 by default disables the RC4 stream cipher for broker administration and is not vulnerable. To remain protected in all cases you should NOT enable weak or export-level cipher suites or select an RC4 cipher when connecting to the Broker's Queue Manager. If enable the RC4 stream cipher you are vulnerable.

To use a TLS cipher to connect to the Queue Manager, you must apply a fixpack or ifix containing APAR IT05429. APAR IT05429 is available in IBM Integration Toolkit Version 9.0 Fix Pack 3.

To stop users enabling the RC4 stream cipher in the future you should disable RC4 by following 'Instructions to disable RC4 in Java7' given below.

If you choose to use CBC ciphers in place of the RC4 ciphers you should follow the steps outlined in 'Using CBC ciphers' given below.

Instructions to disable RC4 in Java 7

Add RC4 to the list of disabled algorithms defined by the jdk.tls.disabledAlgorithms security property in the java.security file. For example:

jdk.tls.disabledAlgorithms=SSLv3, RC4

The java.security file can be found in the following locations:

IBM Integration Bus V9:
<install>\jre17\lib\security\java.security

IBM Integration Toolkit V9
<install>\jdk\jre\lib\security\java.security

IBM Integration Bus V10 on Windows and LinuxX64:
<install>\common\jdk\jre\lib\security\java.security

IBM Integration Bus V10 not on Windows and LinuxX64:
<install>\common\jre\lib\security\java.security

Instructions to disable RC4 in DataDirect drivers (ODBC SSL connectivity)

Use the undocumented CipherList connection option:

Option name: CipherList   (CL)

Default:  "DEFAULT", currently equivalent to "ALL:!aNULL:!eNULL:!SSLv2"

Format: See "Cipher List Format" at https://www.openssl.org/docs/apps/ciphers.html

In order to disable RC4 ciphers while still maintaining the default restrictions, you need to set:

CipherList=DEFAULT:!RC4

Using CBC ciphers

After disabling the RC4 ciphers if you decide to enable and use CBC ciphers then you should set the jsse.enableCBCProtection JVM system property to avoid vulnerability to the BEAST security vulnerability CVE-2011-3389.

More details about this JVM system property can be found here: http://www.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.security.component.60.doc/security-component/jsse2Docs/beast.html

You can set the JVM system property in a number of ways.

For WebSphere Message Broker and IBM Integration Bus runtime by either:

• Setting on a per-execution group basis by following the instructions to set a jvmSystemProperty using mqsichangeproperties here: http://www.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/an09143_.htm
• Setting on a per-broker or machine wide basis by setting the IBM_JAVA_OPTIONS (_JAVA_OPTIONS on Solaris or HP systems) environment variable:
IBM_JAVA_OPTIONS=-Djsse.enableCBCProtection=true

_JAVA_OPTIONS=-Djsse.enableCBCProtection=true

On Windows, Linux and UNIX® systems by following the instructions applicable for your platform to setup the command environment here: http://www.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/an26190_.htm?cp=SSMKHH_9.0.0%2F7-0-14

On z/OS systems by adding the environment variable to BIPBPROF and submitting BIPGEN to recustomize the ENVFILE: http://www.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ae22465_.htm

If you already have the IBM_JAVA_OPTIONS or _JAVA_OPTIONS environment variable set then you will need to add the new parameter to the end of any existing parameters preceded by a space.

For WebSphere Message Broker and IBM Integration Toolkit:

Edit the eclipse.ini file for the toolkit installation and add the following line:
-Djsse.enableCBCProtection=true

The eclipse.ini file can be found in the root directory of the toolkit installation. For example:
c:\Program Files (x86)\IBM\WMBT800\eclipse.ini
c:\Program Files\IBM\IIB\10.0.0.0\tools\eclipse.ini

Note that in the event that servers or clients are configured to use only RC4 ciphers, the above settings would prevent any SSL connection from succeeding.

You should verify applying the above configuration changes do not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.

The full list of Java acceptable protocols and their meaning are at http://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/protocols.html