home clear 64x64
en blue 200x116 de orange 200x116 info letter User
suche 36x36
Latest versionsfixlist
11.1.0.7 FixList
10.5.0.9 FixList
10.1.0.6 FixList
9.8.0.5 FixList
9.7.0.11 FixList
9.5.0.10 FixList
9.1.0.12 FixList
Have problems? - contact us.
Register for free anmeldung-x26
Contact form kontakt-x26

DB2 - Problem description

Problem IC68054 Status: Closed

SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION WEAK
SECURITY CVE-2009-3555

product:
DB2 FOR LUW / DB2FORLUW / 950 - DB2
Problem description:
All customers using DB2 and relying on Secure Socket Layer v3 
(SSLv3) or any of the multiple versions of Transport Layer 
Security (TLS) in support of secure communications between a 
client and server or between server and server are impacted by a 
recently discovered weakness in the TLS and SSL v3 protocols. 
SSLv2 is not affected. 
 
The TLS/SSL weakness exists in multiple implementations of the 
Transport Layer Security (TLS) protocol, including SSL. 
 
To address the weakness in the TLS/SSL handshake renegotiation, 
IBM, along with the other members in the Industry Consortium for 
the Advancement of Security on the Internet (ICASI), are working 
together with the Internet Engineering Task Force (IETF) to 
enhance and strengthen the handshake renegotiation protocol in 
the TLS specification. This effort will take some time to 
complete.  The delivery outlook for inclusion of this enhanced 
handshake renegotiation capability in TLS protocol 
implementations is unknown at this time. 
 
In the interim, DB2 is delivering a fix to allow an installation 
to disable the TLS handshake renegotiation. The TLS handshake 
renegotiation is rarely used. Disabling the TLS handshake 
renegotiation will block a remote attacker from attempting to 
exploit the weakness in the TLS protocol. After installing this 
fix, the default setting will disable the TLS handshake 
renegotiation. The fix also provides the user with an option to 
re-enable renegotiation if warranted. TLS handshake 
renegotiation should be re-enabled only if absolutely necessary 
and with a clear understanding and acceptance of the potential 
security risks. 
 
It is the recommendation of IBM to install all Security and 
System Integrity PTFs applicable to z/OS and any installed 
FMIDs. To determine whether PTFs are needed,  customers should 
follow normal procedures in obtaining security/integrity PTFs 
from IBM for z/OS. The IBM System z policy restricts 
distribution of security and system integrity APARs to reduce 
the risk of exposure. Customer representatives who have been 
authorized for System z Security Access can obtain 
Security/Integrity information, including SMP/E Enhanced HOLD 
DATA, for all security/integrity APARs.  Please see the URL 
http://www.vm.ibm.com/devpages/spera/aparinfo.html  for details 
on the procedures authorizing access to IBM System z 
security/integrity information. Security/integrity service 
information should be checked on a regular basis and PTFs 
applied as soon as possible to eliminate potential risks. 
 
Special note for IBM WebSphere MQ customers: 
Customer using IBM WebSphere MQ may need to install APAR 
IZ64859(zOS MQ V6 is PM01584 and zOS MQ V7 PM01586). After 
installing the TLS/SSL renegotiation disablement fixes, MQ SSL 
Secret Key Reset function - controlled by the QMGR attribute 
SSLRKEYC  or equivalent WMQ client variables - will no longer 
function until APAR IZ64859 has been installed.
Problem Summary:
**************************************************************** 
* USERS AFFECTED:                                              * 
* All DB2 systems on all Linux, Unix and Windows platforms at  * 
* service levels from Version 9.5 GA through to Version 9.5    * 
* Fix Pack 6.                                                  * 
**************************************************************** 
* PROBLEM DESCRIPTION:                                         * 
* See "Error Description"                                      * 
**************************************************************** 
* RECOMMENDATION:                                              * 
* Upgrade to DB2 Version 9.5 Fix Pack 6.                       * 
****************************************************************
Local Fix:


available fix packs:


DB2 Version 9.5 Fix Pack 6a for Linux, UNIX, and Windows
 DB2 Version 9.5 Fix Pack 7 for Linux, UNIX, and Windows
 DB2 Version 9.5 Fix Pack 8 for Linux, UNIX, and Windows
 DB2 Version 9.5 Fix Pack 9 for Linux, UNIX, and Windows
 DB2 Version 9.5 Fix Pack 10 for Linux, UNIX, and Windows
 


Solution


The complete fix for this problem first appears in DB2 Version 
9.5 Fix Pack 6 and all the subsequent Fix Packs.


Workaround


not known / see Local fix


Timestamps


Date  - problem reported    :
Date  - problem closed      :
Date  - last modified       :

20.04.2010
14.06.2010
17.08.2010


Problem solved at the following versions (IBM BugInfos)


9.5.FP6



Problem solved according to the fixlist(s) of the following version(s)