The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of TLS: RC4 decryption via Bar Mitzvah

Synthesis of the vulnerability 

An attacker can use the Bar Mitzvah Attack on TLS, in order to obtain sensitive information encrypted by RC4.
Impacted software: DCFM Enterprise, Brocade Network Advisor, Brocade vTM, Avamar, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, SiteScope, HP Switch, HP-UX, AIX, DB2 UDB, Domino, Notes, IRAD, Security Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, SnapManager, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Oracle Virtual Directory, WebLogic, Oracle Web Tier, SSL protocol, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity of this computer vulnerability: 2/4.
Creation date: 27/03/2015.
Références of this announce: 1450666, 1610582, 1647054, 1882708, 1883551, 1883553, 1902260, 1903541, 1960659, 1963275, 1967498, 523628, 7014463, 7022958, 7045736, 9010041, 9010044, Bar Mitzvah, BSA-2015-007, c04708650, c04767175, c04770140, c04772305, c04773119, c04773241, c04777195, c04777255, c04832246, c04926789, c05085988, c05336888, cpujan2018, cpuoct2017, CVE-2015-2808, DSA-2018-124, HPSBGN03350, HPSBGN03393, HPSBGN03399, HPSBGN03407, HPSBGN03414, HPSBGN03415, HPSBGN03580, HPSBHF03673, HPSBMU03345, HPSBMU03401, HPSBUX03435, HPSBUX03512, NTAP-20150715-0001, NTAP-20151028-0001, RHSA-2015:1020-01, RHSA-2015:1021-01, RHSA-2015:1091-01, SOL16864, SSRT102254, SSRT102977, SUSE-SU-2015:1073-1, SUSE-SU-2015:1085-1, SUSE-SU-2015:1086-1, SUSE-SU-2015:1086-2, SUSE-SU-2015:1086-3, SUSE-SU-2015:1086-4, SUSE-SU-2015:1138-1, SUSE-SU-2015:1161-1, VIGILANCE-VUL-16486, VN-2015-004.

Description of the vulnerability 

During the initialization of a TLS session, the client and the server negotiate cryptographic algorithms. The RC4 algorithm can be chosen to encrypt data.

For some weak keys (one over 2^24), the Invariance Weakness can be used to predict the two LSB (Least Significant Bit) of the 100 first bytes encrypted with RC4. The first TLS message is "Finished" (36 bytes), thus an attacker can predict LSBs of 64 bytes.

An attacker can therefore use the Bar Mitzvah Attack on TLS, in order to obtain sensitive information encrypted by RC4.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security threat impacts software or systems such as DCFM Enterprise, Brocade Network Advisor, Brocade vTM, Avamar, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, SiteScope, HP Switch, HP-UX, AIX, DB2 UDB, Domino, Notes, IRAD, Security Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, SnapManager, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Oracle Virtual Directory, WebLogic, Oracle Web Tier, SSL protocol, RHEL, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this computer weakness note is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this computer threat alert.

Solutions for this threat 

TLS: workaround for Bar Mitzvah.
A workaround is to disable RC4 on TLS clients/servers.
For example, the Apache httpd directive has to contain "!RC4".

AIX: solution for Bar Mitzvah.
The solution is indicated in information sources.

Brocade: solution for RC4.
The solution is indicated in information sources.

Dell EMC Avamar Proxy: solution for Jetty.
The solution is indicated in information sources.

Extreme Networks: solution for Bar Mitzvah.
The solution is indicated in information sources.

F5 BIG-IP: fixed versions for Bar Mitzvah.
Fixed versions are indicated in information sources.

HP BSM Connector: patch for Logjam and Bar Mitzvah.
A patch is available:
  BSMC 9.2x: https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01762681
  BSMC 10.0: https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01758600?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HP Data Protector: versions 7.03_108, 8.15 and 9.06.
Versions 7.03_108, 8.15 and 9.06 are fixed:
  https://softwaresupport.hpe.com/

HP Network Node Manager i: patch for OpenSSL.
A patch is available in information sources.

HP Operations Agent: patch for Bar Mitzvah.
A patch is available:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01758900?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HP Operations Agent Virtual Appliance: patch for Bar Mitzvah.
A patch is available:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01762720?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HP Operations Manager for Unix: patch for Logjam et Bar Mitzvah.
A patch is available:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01777542?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HP Operations Manager for Windows: patch for Logjam et Bar Mitzvah.
A patch is available:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01762684?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HP Operations Manager i: solution for Bar Mitzvah.
The solution is indicated in information sources.

HP SiteScope: solution for Bar Mitzvah.
The solution is indicated in information sources:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01658992

HP Switch: solution for SSL.
The solution is indicated in information sources.

HP-UX: Web Server Suite version 3.31.
Web Server Suite version B.11.23 is fixed:
  http://software.hp.com/
  HPUXWSATW331

HP-UX Web Server Suite: version 4.06.
The version 4.06 is fixed:
  https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW406

IBM AIX: patch for Java.
The announce states the URLs of the applicable patch for each version of the SDK.

IBM DB2: version 10.1 Fix Pack 5.
The version 10.1 Fix Pack 5 is fixed:
  http://www-304.ibm.com/support/docview.wss?uid=swg24040170#Description

IBM DB2: version 10.1 Fix Pack 6.
The version 10.1 Fix Pack 6 is fixed.

IBM DB2: version 10.5 Fix Pack 6.
The version 10.5 Fix Pack 6 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24040522

IBM DB2: version 10.5 Fix Pack 7.
The version 10.5 Fix Pack 7 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24041243

IBM DB2: version 9.7 Fix Pack 11.
The version 9.7 Fix Pack 11 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24040935

IBM Notes, Domino: patch for Java 6.
A patch is available:
  version 9.0.1.x: http://www-01.ibm.com/support/docview.wss?uid=swg21657963
  version 8.5.3: http://www-01.ibm.com/support/docview.wss?uid=swg21663874

IBM Rational Application Developer: version 9.0.1.2.
The version 9.0.1.2 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24039952

IBM Security Directory Server: patch.
A patch is available in information sources, for product versions 6.0 to 6.4.

IBM Tivoli Storage Manager for Virtual Environments: patch for IBM Java.
A patch is indicated in information sources.

IBM Tivoli Workload Scheduler: workaround for Bar Mitzvah.
A workaround is indicated in the information source.

NetApp SnapManager: patch for Oracle Java.
A patch is available:
  SnapManager for Oracle: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=959904
  SnapManager for SAP: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=959905

NetIQ Sentinel: version 7.4.0.0 Build 2303 A.
The version 7.4.0.0 Build 2303 A is fixed:
  https://download.novell.com/Download?buildid=HN3Bit9V_zo~

Oracle Communications: CPU of January 2018.
A Critical Patch Update is available:
  http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Oracle Fusion Middleware: CPU of October 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2296870.1

Red Hat Satellite 5: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.4-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.4-1jpp.1.el6_6

RHEL: new java-1.5.0-ibm packages.
New packages are available:
  RHEL 5: java-1.5.0-ibm 1.5.0.16.10-1jpp.1.el5
  RHEL 6: java-1.5.0-ibm 1.5.0.16.10-1jpp.1.el6_6

RHEL: new java-1.7.1-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.3.0-1jpp.2.el6_6
  RHEL 7: java-1.7.1-ibm 1.7.1.3.0-1jpp.2.el7_1

SUSE LE 10: new IBM Java packages.
New packages are available:
  SUSE LE 10: java-1_6_0-ibm 1.6.0_sr16.4-0.8.1

SUSE LE 12: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 12: java-1_6_0-ibm 1.6.0_sr16.4-15.1

SUSE LE 12: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 12: java-1_7_1-ibm 1.7.1_sr3.0-11.1

SUSE LE: new IBM Java packages.
New packages are available:
  SUSE LE 10: java-1_5_0-ibm 1.5.0_sr16.10-0.6.1
  SUSE LE 11: java-1_6_0-ibm 1.6.0_sr16.4-0.3.1, java-1_7_0-ibm 1.7.0_sr9.0-0.7.1

WebSphere AS: patch for Java.
Some patches ae available in information sources, to be chosen according to the version of WebSphere AS.

WebSphere AS: version 7.0.0.39.
The version 7.0.0.39 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24041013

WebSphere AS: version 8.0.0.11.
The version 8.0.0.11 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24040425

WebSphere MQ: workaround for Bar Mitzvah.
A workaround is indicated in the information source.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities database. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.