Technical Blog Post
Abstract
Security vulnerability on agent used for gateway
Body
Security vulnerability on agent used for gateway
A customer recently reported that they were getting reports on vulnerabilities on the LZ agent used for the downstream gateway.
The environment was at 6.3 FP06.
1. One was [medium] and was SSL Enabled Server Supports Medium Strength SSL Encryption Certificates/Ciphers
2. The second was [low] and was SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
For the second item SWEET32 here are more details:
http://www-01.ibm.com/support/docview.wss?uid=swg21999452
However technically IHS in ITM is only possibly "vulnerable" to the CVE because 3DES is not preferred in ITM and ITM doesn't transmit gigabyte level of data.
A fix was available in April for this.
However, the first issue needed to be addressed.
There is a new feature in 6.3 FP07 to selectively disable or enable TLS protocols:
http://www-01.ibm.com/support/docview.wss?uid=swg1IV82451
However, since an upgrade was not possible, the issue was reviewed and some new settings were given:
KDEBE_TLSV10_CIPHER_SPECS=""
KDEBE_TLSV11_CIPHER_SPECS=""
Note the setting is an empty string. These settings eliminate the use of any TLS10 and TLS11 ciphers available to ITM. This effectively disables both protocols.
The customer implemented these parameters in ms.ini and ms.config (in ms.config the double quotation marks are removed) of RTEMS servers, these were enough to solve the vulnerability on a gateway downstream connected to the RTEMS.
UID
ibm11083843