Security Improvements on Cast Iron

Transcription

1 IBM Software Group Security Improvements on Cast Iron Subhashini Yegappan, Software Support Engineer Raja Sreenivasan, Advisory Software Engineer 31-Mar-2015 WebSphere Support Technical Exchange

2 Agenda Cast Iron Security Features available Component upgrades PSIRT Process Security Vulnerabilities FAQs WebSphere Support Technical Exchange 2

3 IBM WebSphere Cast Iron The latest and greatest CIOS version available for IBM WebSphere Cast Iron Appliance and Hypervisor is product download link Product documentation: ome.html New Support Page: Upgrading cast iron operation system 3

4 Security Features Available SP a compliance IBM WebSphere Cast Iron Live for US Federal Basic Authentication support for HTTP and Webservice connectors Management API calls OAuth 2.0 authentication WebSphere Support Technical Exchange 4

5 Components Upgraded LDAP authentication Java JRE upgrade Bedrock OS upgrade Crypto service activities WebSphere Support Technical Exchange 5

6 LDAP The Web Management Console (WMC) is a web-based management tool that allows you to: Manage the Integration Appliance Manage integration projects Monitor integration projects To monitor the same, using different user accounts grouped with different permissions, LDAP server can be linked to the WMC and the login accounts can be easily managed by the customer 6

7 JRE, Bedrock and Cryptoservice Java is upgraded to JAVA v7 SR7 TO ADDRESS SECURITY VULNERABILITIES UPGRADE BEDROCK VERSION TO ADDRESS HEARTBLEED AND POODLE SECURITY VULNERABILITIES PGP (PRETTY GOOD PRIVACY) activities are modified to fix script level issues in the services 7

8 PSIRT process IBM Product Security Incident Response Team (PSIRT ) follows the National Institute of Standards and Technology (NIST) guidelines for determining the severity rating of the reported vulnerability. This process alerts the various product teams on the new Vulnerability to determine if their product is affected. Immediately a quick flash is published on the IBM website. Once enough information is available after the product team's investigation, workaround, fixes are updated for customers. 8

9 Security Vulnerabilities Resolved POODLE: SSLv3 Vulnerability GHOST: glibc library security vulnerability Open SSL CVE ,CVE ,CVE Open SSL Heartbleed bug Java security vulnerability Salesforce certificate change to use SHA-256 hash algorithm Bash/Shellshock Bug NTP Vulnerability WebSphere Support Technical Exchange 9

10 POODLE attack affects Cast Iron SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is used for Client/Server communication via Cast Iron Cloud Integration connectors Product could allow a remote attacker to obtain sensitive information caused by a design error when using SSLV3 protocol. This vulnerability affects all versions and releases of Cast Iron. Fix is available in latest Interim Fixes: IF004, IF001, IF009, , 7.x WMC Fix to restrict any endpoints contacting Cast Iron with SSLV3 protocol is available from IFIX06 and higher. 10

11 GHOST glibc library Security Vulnerability GNU C library (glibc) vulnerability that has been referred to as GHOST affects IBM WebSphere Cast Iron Solution By sending a specially crafted, but valid hostname argument, a remote attacker could execute arbitrary code on the system with the privileges of the targeted process or cause the process to crash. This vulnerability affects all versions of the product WebSphere Cast Iron v 7.0, 6.4, 6.3, 6.1 and 6.0. Cast Iron Appliance 7.* ifix CUMUIFIX-008 Cast Iron Appliance x ifix CUMUIFIX-026 Cast Iron Appliance x ifix CUMUIFIX-011 Cast Iron Appliance x ifix CUMUIFIX

12 Open SSL affects IBM Websphere Cast Iron Solution OpenSSL vulnerabilities were disclosed on January 8, 2015 by the OpenSSL Project (OpenSSL.org). OpenSSL is used by IBM WebSphere Cast Iron Solution has addressed the applicable CVEs (CVE ,CVE ,CVE ). OpenSSL could provide weaker than expected security and could allow a local attacker to bypass security restrictions, caused by the modification of the fingerprint without breaking the signature. This Vulnerability affects all versions of the product. Cast Iron Appliance 7.* ifix CUMUIFIX-008 Cast Iron Appliance x ifix CUMUIFIX-026 Cast Iron Appliance x ifix CUMUIFIX-011 Cast Iron Appliance x ifix CUMUIFIX

13 OpenSSL heartbleed issue Allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet WebSphere Cast Iron appliances with version 7 are impacted by this bug. A fix is provided by the BedrockOS patch and is released as part of Cast Iron ifix CUMUIFIX-004 available in IBM Fix Central site. Appliance versions below version 7 are not impacted by this bug Note: It is recommended to refresh the passwords and certificates after the Cast Iron appliances/vm's are upgraded to safe OpenSSL versions. 13

14 Multiple security vulnerabilities in JRE 6 and IBM JRE 7 Affected Platforms: Cast Iron v6.0, v6.1 v6.3, v6.4 and v7.0 Studio, Virtual Appliance and Physical Appliance and IBM WebSphere Cast Iron v6.3 and v7.0 Live SaaS offering. For WebSphere Cast Iron version v6.0 : Install the v interim fix or upgrade to v /v /v For WebSphere Cast Iron version v6.1 *: Install the v interim fix or upgrade to v /v /v For IBM WebSphere Cast Iron v6.3 *: Install the v interim fix or upgrade to v /v For IBM WebSphere Cast Iron v7.0: Upgrade to v by applying the fixpack. Upgrade to v7 should not be attempted on v6.1, v6.3, v6.4 virtual appliance if the appliance was originally a fresh install of v6 and later upgraded to a higher version 14

15 Salesforce.com certificate change to use SHA-256 hash algorithm. Salesforce is in the process of updating its certificate to SHA-256 hash algorithm, we are informing Cast Iron users that the certification changes should not ideally impact its connector functionality All Cast Iron versions supports Salesforce.com certificate change to use SHA-256 hash algorithm. 15

16 Bash Bug/Shellshock and Network Time Protocol Vulnerability Cast Iron is not impacted by Shellshock because 1. Cast Iron does not expose bash shell to customers Bash Bug or 2. Cast Iron does not use CGI bin 3. DataPower does not ship bash in its firmware Cast Iron is not impacted by NTP Vulnerability 16

17 Security Vulnerabilities fixed in CI Live POODLE GHOST Open SSL Heart bleed Java upgrade Open SSL CVE

18 FAQ s What are the different Security protocols and Securtity Features available in Cast Iron? We support all TLS protocols when SP a mode only TLSv1.2 is supported What are the Ports used by the Cast Iron appliance? Cast Iron appliance needs a few predefined ports to be open like 443, 80, 8080 etc. Does Cast Iron support WS Security or WS Trust with the Web Services endpoint? Cast Iron supports WS Security What all activities support secure communication? http,ws,ftp,pgp, WebSphere Support Technical Exchange 18

19 Connect with us! 1. Get notified on upcoming webcasts Send an to with subject line wste subscribe to get a list of mailing lists and to subscribe 2. Tell us what you want to learn Send us suggestions for future topics or improvements about our webcasts to wsehelp@us.ibm.com WebSphere Support Technical Exchange 19

20 Questions and Answers WebSphere Support Technical Exchange 20

21 Additional WebSphere Product Resources Learn about upcoming WebSphere Support Technical Exchange webcasts, and access previously recorded presentations at: Discover the latest trends in WebSphere Technology and implementation, participate in technically-focused briefings, webcasts and podcasts at: Join the Global WebSphere Community: Access key product show-me demos and tutorials by visiting IBM Education Assistant: View a webcast replay with step-by-step instructions for using the Service Request (SR) tool for submitting problems electronically: Sign up to receive weekly technical My Notifications s: WebSphere Support Technical Exchange 21