by Sandra Jones

A customer recently reported that they were getting reports on vulnerabilities on the LZ agent used for the downstream gateway.

 The environment was at 6.3 FP06.

 
1. One was [medium] and was SSL Enabled Server Supports Medium Strength SSL Encryption Certificates/Ciphers

 
2. The second was  [low] and was SSL 64-bit Block Size Cipher Suites Supported (SWEET32)

For the second item SWEET32 here are more details:

http://www-01.ibm.com/support/docview.wss?uid=swg21999452

However technically IHS in ITM is only possibly be "vulnerable" to the CVE because 3DES is not preferred in ITM and ITM doesn't transmit gigabyte level of data.

A fix will be available probably in April for this.

However the first issue needed to be addressed.

There is a new feature in 6.3 FP07 to selectively disable/enable TLS protocols:

http://www-01.ibm.com/support/docview.wss?uid=swg1IV82451

However since an upgrade was not able to be done at this time, the issue was reviewed and some new settings were given:

 
KDEBE_TLSV10_CIPHER_SPECS=""
KDEBE_TLSV11_CIPHER_SPECS=""
 
Note the setting is an empty string. This setting will eliminate the use of any TLS10 and TLS11 ciphers available to ITM, effectively
disabling both protocols.

The customer implemented these parameters in ms.ini and ms.config (in ms.config the double quotes are removed)
 of RTEMS servers which was enough to solve the vulnerability on a gateway downstream connected to the RTEMS.