DB2 - Problembeschreibung
Problem IC68054 | Status: Geschlossen |
SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION WEAK SECURITY CVE-2009-3555 | |
Produkt: | |
DB2 FOR LUW / DB2FORLUW / 950 - DB2 | |
Problembeschreibung: | |
All customers using DB2 and relying on Secure Socket Layer v3 (SSLv3) or any of the multiple versions of Transport Layer Security (TLS) in support of secure communications between a client and server or between server and server are impacted by a recently discovered weakness in the TLS and SSL v3 protocols. SSLv2 is not affected. The TLS/SSL weakness exists in multiple implementations of the Transport Layer Security (TLS) protocol, including SSL. To address the weakness in the TLS/SSL handshake renegotiation, IBM, along with the other members in the Industry Consortium for the Advancement of Security on the Internet (ICASI), are working together with the Internet Engineering Task Force (IETF) to enhance and strengthen the handshake renegotiation protocol in the TLS specification. This effort will take some time to complete. The delivery outlook for inclusion of this enhanced handshake renegotiation capability in TLS protocol implementations is unknown at this time. In the interim, DB2 is delivering a fix to allow an installation to disable the TLS handshake renegotiation. The TLS handshake renegotiation is rarely used. Disabling the TLS handshake renegotiation will block a remote attacker from attempting to exploit the weakness in the TLS protocol. After installing this fix, the default setting will disable the TLS handshake renegotiation. The fix also provides the user with an option to re-enable renegotiation if warranted. TLS handshake renegotiation should be re-enabled only if absolutely necessary and with a clear understanding and acceptance of the potential security risks. It is the recommendation of IBM to install all Security and System Integrity PTFs applicable to z/OS and any installed FMIDs. To determine whether PTFs are needed, customers should follow normal procedures in obtaining security/integrity PTFs from IBM for z/OS. The IBM System z policy restricts distribution of security and system integrity APARs to reduce the risk of exposure. Customer representatives who have been authorized for System z Security Access can obtain Security/Integrity information, including SMP/E Enhanced HOLD DATA, for all security/integrity APARs. Please see the URL http://www.vm.ibm.com/devpages/spera/aparinfo.html for details on the procedures authorizing access to IBM System z security/integrity information. Security/integrity service information should be checked on a regular basis and PTFs applied as soon as possible to eliminate potential risks. Special note for IBM WebSphere MQ customers: Customer using IBM WebSphere MQ may need to install APAR IZ64859(zOS MQ V6 is PM01584 and zOS MQ V7 PM01586). After installing the TLS/SSL renegotiation disablement fixes, MQ SSL Secret Key Reset function - controlled by the QMGR attribute SSLRKEYC or equivalent WMQ client variables - will no longer function until APAR IZ64859 has been installed. | |
Problem-Zusammenfassung: | |
**************************************************************** * USERS AFFECTED: * * All DB2 systems on all Linux, Unix and Windows platforms at * * service levels from Version 9.5 GA through to Version 9.5 * * Fix Pack 6. * **************************************************************** * PROBLEM DESCRIPTION: * * See "Error Description" * **************************************************************** * RECOMMENDATION: * * Upgrade to DB2 Version 9.5 Fix Pack 6. * **************************************************************** | |
Local-Fix: | |
verfügbare FixPacks: | |
DB2 Version 9.5 Fix Pack 6a for Linux, UNIX, and Windows | |
Lösung | |
The complete fix for this problem first appears in DB2 Version 9.5 Fix Pack 6 and all the subsequent Fix Packs. | |
Workaround | |
keiner bekannt / siehe Local-Fix | |
Weitere Daten | |
Datum - Problem gemeldet : Datum - Problem geschlossen : Datum - der letzten Änderung: | 20.04.2010 14.06.2010 17.08.2010 |
Problem behoben ab folgender Versionen (IBM BugInfos) | |
9.5.FP6 | |
Problem behoben lt. FixList in der Version |