Security Bulletin: TADDM uses weak SSL certificates (CVE-2012-5770)
IBM Tivoli Application Dependency Discovery Manager SSL certificate uses weak MD5 hash algorithm
TADDM uses weak certificates for SSL communication what can lead to man in the middle attack. The attacker must have access to traffic between TADDM server and its client (GUI or API) to be able to hijack and break the certificate. If more powerful hash algorithm is used the certificate is much more difficult to break.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80354 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS AND VERSIONS:
TADDM 220.127.116.11 through 18.104.22.168
|Fix*||VRMF||APAR||How to acquire fix|
|7.2.1-TIV-ITADDM-FP0004||7.2.1.X||IV32391||Download from fix central|
|None||7.2..0.0||None||Upgrade to 22.214.171.124 or work around.|
Each customer should generate their own security certificates that would uniquely identify the customer. The steps to do that are listed in following section.
The certificates can be generated manually issuing following commands:
<taddm_dist_dir>/external/<jdk-for-platform>/bin/keytool -delete -alias collation -keystore <taddm_dist_dir>/etc/serverkeys -storepass <ssl-password>
<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -genkey -alias collation -keystore <taddm_dist_dir>/etc/serverkeys -validity 3650 -keyAlg RSA -sigalg SHA256WithRSA -keypass <ssl-password> -storepass <ssl-password> -dname "CN=<TADDM_SERVER_FQDN>, OU=Engineering, O=IBM, L=Palo Alto, S=California, C=US"
<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -export -alias collation -noprompt -keystore <taddm_dist_dir>/etc/serverkeys -keypass <ssl-password> -storepass <ssl-password> -file <taddm_dist_dir>/cert.tmp
<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -delete -alias collation -noprompt -keystore <taddm_dist_dir>/etc/jssecacerts.cert -storepass <ssl-password>
<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -import -alias collation -noprompt -keystore <taddm_dist_dir>/etc/jssecacerts.cert -keypass <ssl-password> -storepass <ssl-password> -file <taddm_dist_dir>/cert.tmp
<taddm_dist_dir> - the "dist" dir where taddm is installed
<jdk-for-platform> - jdk dir dedicated for Customer's platform
<ssl-password> - value of com.collation.sslpassphrase
<TADDM_SERVER_FQDN> - taddm server fqdn
NOTE: please backup the existing files before:
If possible access to TADDM server should be restricted to certain selected machines by using e.g. by using iptables. This way the potential attacker must hijack machine allowed to access to conduct MiM attack.
- Complete CVSS Guide
- On-line Calculator V2
- X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/80354
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
1 March 2013: Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
More support for:
Tivoli Application Dependency Discovery Manager
Software version: 7.2, 7.2.1
Operating system(s): AIX, Linux, Solaris, Windows
Reference #: 1626029
Modified date: 05 October 2015