VULNERABILITIES FOR TWS DISTRIBUTED WITH WEBSPHERE APPLICATION SERVER:
On a recent product update call with IBM, we were informed of an important change to TWS4APPS
Multiple IBM WebSphere Application Server vulnerabilities have been discovered due to Java exposures. Users of Tivoli Workload Scheduler need to be aware since these vulnerabilities may impact TWS by affecting communications between eWAS and subcomponents through Java exposures. Versions 8.4.0 to 8.60 of TWS, TDWC and TWS z/OS Connector are affected.
Details of the individual vulnerabilities are as follows:
- A vulnerability in the IBMSecureRandom implementation of the IBMJCE and IBMSecureRandom cryptographic providers potentially allows an attacker to predict the output of the random number generator under certain circumstances
- An unspecified vulnerability related to the JNDI component has partial confidentiality impact, partial integrity impact, and no availability impact
- Three unspecified vulnerabilities related to the Security component have partial confidentiality impact, partial integrity impact, and no availability impact
The issues have been fixed by updating Java inside eWAS installed with the latest fixpack version of TWS. IBM advise that it should be installed after the Limited Availability fix IV61280 has been applied. For further information you can view the official IBM alert here.
VULNERABILITIES FOR TWS WITH SSLv3 ENABLED:
If you have enabled SSLv3 within TWS, then you need to take action to remediate a vulnerability that has been referred to as the Padding Oracle on Downgraded Legacy Encryption (POODLE) attack. This vulnerability has the potential to allow a remote attacker to obtain sensitive information, when using the SSLv3 protocol, and has been caused by a design error. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE attack to decrypt SSL sessions and access the plaintext of encrypted connections. Further details of the vulnerability, along with details of affected versions and fixes can be found by viewing the IBM announcement here.
If you are unsure whether your organisation is affected by these vulnerabilities, have any questions, or require assistance in remediation, then please call +44 (0)8452 696536 or email email@example.com.