Security Bulletin
Summary
The RC4 “Bar Mitzvah” Attack for SSL/TLS affects OpenPages GRC Platform with Application Server.
Vulnerability Details
CVEID: CVE-2015-2808
DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack".
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
OpenPages GRC Platform with Application Server 6.2.0, 6.2.1, 7.0 (embedded application server versions)
Remediation/Fixes
None
Workarounds and Mitigations
The embedded application server can be reconfigured to only accept known good ciphers and avoid this issue. Please note that this remediation changes the list of cipher suites accepted by the application server. As a result, there is a chance SSL connectivity issues could arise in your environment . While no issues have been found in internal testing, we encourage you to test this configuration on a test system in your environment prior to using it in production.
Mitigation Steps:
- Stop all servers. For details on stopping services, see the “Starting and Stopping Servers” chapter in the IBM® OpenPages® GRC Platform Administrator’s Guide.
- Log into the Windows console of the primary application server as an administrator.
- Launch regedit.exe
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\OpenPagesAdminServer\Parameters
- Right-click on the Parameters key and select Export.
- Create a backup directory (you will be repeating this export with other keys).
- Save the export as OpenPagesAdminServer
- Select the current value for CmdLine
- Paste it into a text editor such as Notepad
- Move to the very end of the string and you will find the text "weblogic.Server"
- Insert the string "-Dweblogic.security.SSL.protocolVersion=TLS1" before "weblogic.Server".
For example, change:
-Djava.security.policy="C:\oracle\middleware\wlserver_10.3\server\lib\weblogic.policy" weblogic.Server
to:
-Djava.security.policy="C:\oracle\middleware\wlserver_10.3\server\lib\weblogic.policy" -Dweblogic.security.SSL.protocolVersion=TLS1 weblogic.Server
- Copy the string from your editor and use it to replace the current contents of the CmdLine setting.
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\OpenPagesServer1\Parameters
- Right-click on the Parameters key and select Export.
- Save the export as OpenPagesServer1 in the backup directory
- Repeat steps 8 through 12 for this key.
- If you have additional node installed (for example OpenPagesServer2) repeat the process of exporting and adding "-Dweblogic.security.SSL.protocolVersion=TLS1" for each node.
- Repeat the process for the workflow servers by editing:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\InterstageBPMAdminServer\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\InterstageBPMCS1\Parameters
- Any additional nodes installed (i.e. InterstageBPMCS2) - Close Registry Editor
- Navigate to the file <OpenPages_Home>\OpenPagesDomain\config\config.xml
For example:
C:\OpenPages\OpenPagesDomain\config\config.xml
- Make a backup copy of the file
- Edit the file in Notepad of similar text editor.
- Locate the following section:
<server>
<name>OpenPagesAdminServer</name>
<ssl>
<name>OpenPagesAdminServer</name>
<enabled>true</enabled>
- Add the following below the <enabled>true</enabled> line:
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
<jsse-enabled>true</jsse-enabled>
- Look further down the file for the section:
<server>
<name>ServerName-OpenPagesServer1</name>
<max-message-size>2000000000</max-message-size>
<ssl>
<enabled>true</enabled>
- Add the following below the <enabled>true</enabled> line:
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
- In the same <ssl> block, add <enabled>true</enabled> just before the closing </ssl>. Your <ssl> block should now look something like the following:
<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
<listen-port>7010</listen-port>
<server-private-key-alias>mystrongcert</server-private-key-alias>
<server-private-key-pass-phrase-encrypted>{AES}123456abce=</server-private-key-pass-phrase-encrypted>
<jsse-enabled>true</jsse-enabled>
</ssl>
- Make the same changes to any additional nodes you have configured. (i.e. ServerName-OpenPagesServer2)
- Save and close config.xml
- Navigate to the file <Fujitsu_Home>\InterstageBPM\IBPMDomain\config\config.xml
For example:
C:\Fujitsu\InterstageBPM\IBPMDomain\config\config.xml
- Make a backup copy of the file
- Edit the file in Notepad of similar text editor.
- Locate the following section:
<server>
<name>AdminServer</name>
<ssl>
<name>AdminServer</name>
<enabled>true</enabled>
- Add the following below the <enabled>true</enabled> line:
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
- In the same <ssl> block, add <enabled>true</enabled> just before the closing </ssl>. Your <ssl> block should now look like the following:
<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
<listen-port>49902</listen-port>
<jsse-enabled>true</jsse-enabled>
</ssl>
- Look further down the file for the section:
<server>
<name>ServerName-InterstageBPMCS1</name>
<max-message-size>2000000000</max-message-size>
<ssl>
<enabled>true</enabled>
- Add the following below the <enabled>true</enabled> line:
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
- In the same <ssl> block, add <enabled>true</enabled> just before the closing </ssl>. Your <ssl> block should now look something like the following:
<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>
<listen-port>49952</listen-port>
<jsse-enabled>true</jsse-enabled>
</ssl>
- Make the same changes to any additional nodes you have configured. (i.e. ServerName-InterstageBPMCS2)
- Save and close config.xml
- You may now restart services.
- Once services restart, connect to the application via secure connection to validate that you can connect.
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21902774