DB2 - Problem description
Problem IC68055 | Status: Closed |
SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION WEAK SECURITY CVE-2009-3555 | |
product: | |
DB2 FOR LUW / DB2FORLUW / 970 - DB2 | |
Problem description: | |
All customers using DB2 and relying on Secure Socket Layer v3 (SSLv3) or any of the multiple versions of Transport Layer Security (TLS) in support of secure communications between a client and server or between server and server are impacted by a recently discovered weakness in the TLS and SSL v3 protocols. SSLv2 is not affected. The TLS/SSL weakness exists in multiple implementations of the Transport Layer Security (TLS) protocol, including SSL. To address the weakness in the TLS/SSL handshake renegotiation, IBM, along with the other members in the Industry Consortium for the Advancement of Security on the Internet (ICASI), are working together with the Internet Engineering Task Force (IETF) to enhance and strengthen the handshake renegotiation protocol in the TLS specification. This effort will take some time to complete. The delivery outlook for inclusion of this enhanced handshake renegotiation capability in TLS protocol implementations is unknown at this time. In the interim, DB2 is delivering a fix to allow an installation to disable the TLS handshake renegotiation. The TLS handshake renegotiation is rarely used. Disabling the TLS handshake renegotiation will block a remote attacker from attempting to exploit the weakness in the TLS protocol. After installing this fix, the default setting will disable the TLS handshake renegotiation. The fix also provides the user with an option to re-enable renegotiation if warranted. TLS handshake renegotiation should be re-enabled only if absolutely necessary and with a clear understanding and acceptance of the potential security risks. It is the recommendation of IBM to install all Security and System Integrity PTFs applicable to z/OS and any installed FMIDs. To determine whether PTFs are needed, customers should follow normal procedures in obtaining security/integrity PTFs from IBM for z/OS. The IBM System z policy restricts distribution of security and system integrity APARs to reduce the risk of exposure. Customer representatives who have been authorized for System z Security Access can obtain Security/Integrity information, including SMP/E Enhanced HOLD DATA, for all security/integrity APARs. Please see the URL http://www.vm.ibm.com/devpages/spera/aparinfo.html for details on the procedures authorizing access to IBM System z security/integrity information. Security/integrity service information should be checked on a regular basis and PTFs applied as soon as possible to eliminate potential risks. Special note for IBM WebSphere MQ customers: Customer using IBM WebSphere MQ may need to install APAR IZ64859(zOS MQ V6 is PM01584 and zOS MQ V7 PM01586). After installing the TLS/SSL renegotiation disablement fixes, MQ SSL Secret Key Reset function - controlled by the QMGR attribute SSLRKEYC or equivalent WMQ client variables - will no longer function until APAR IZ64859 has been installed. | |
Problem Summary: | |
**************************************************************** * USERS AFFECTED: * * All DB2 systems on all Linux, Unix and Windows platforms at * * service levels Version 9.7 GA. * **************************************************************** * PROBLEM DESCRIPTION: * * See "Error Description" * **************************************************************** * RECOMMENDATION: * * Upgrade to DB2 Version 9.7 Fix Pack 2. * **************************************************************** | |
Local Fix: | |
available fix packs: | |
DB2 Version 9.7 Fix Pack 2 for Linux, UNIX, and Windows | |
Solution | |
The complete fix for this problem first appears in DB2 Version 9.7 Fix Pack 2 and all the subsequent Fix Packs. | |
Workaround | |
not known / see Local fix | |
Timestamps | |
Date - problem reported : Date - problem closed : Date - last modified : | 20.04.2010 14.06.2010 17.08.2010 |
Problem solved at the following versions (IBM BugInfos) | |
9.7.FP2 | |
Problem solved according to the fixlist(s) of the following version(s) | |
9.7.0.2 |