How to avoid FREAK Vulnerability in TIBCO ActiveMatrix BusinessWorks.

book

Article ID: KB0093611

calendar_today

Updated On:

Products	Versions
TIBCO ActiveMatrix BusinessWorks	-
Not Applicable	-

Description

Resolution:
Users can adopt either of the following approaches to avoid the FREAK Vulnerability (CVE-2015-0204) in TIBCO ActiveMatrix BusinessWorks.

Method 1:

By default, BW uses the ENTRUST security provider. If there is nothing mentioned explicitly in any TRA file, that means BW is using ENTRUST. In a TRA file, the user can add the Java property java.property.TIBCO_SECURITY_VENDOR to use J2SE. Users would set it as follows: java.property.TIBCO_SECURITY_VENDOR=J2SE .

Using J2SE as the security provider users can disable a particular cipher. This can be done by editing the java.security file under the <TIBCO_HOME>\tibcojre64\1.7.0\lib\security folder. Follow the steps below.

1). Stop all the BW applications on the system.
2). cd <TIBCO_HOME>\tibcojre64\1.7.0\lib\security
3). Open the java.security file and search for jdk.tls.disabledAlgorithms. If it is present, set it as RC4. If this is not present add it manually as follows:

jdk.tls.disabledAlgorithms=RC4 (Example).

Users would want to work with their internal security team to determine which ciphers users would want to disable (the export-level ciphers) to eliminate exposure to FREAK.

Method 2:

Users can also avoid FREAK by using ENTRUST with AES-256 symmetrical encryption algorithm. Users have to install the Unlimited Strength Jurisdiction Policy patches to Java to use AES-256.

Installing Unlimited Jurisdiction Files:

Java vendors ship a default set of policy files that do not permit unlimited strength cryptography. In countries exempt from these restrictions, users can download and install an unlimited strength set of the policy files. The default set of policy files restricts usage of 256-bit AES.

Follow these steps to install the unlimited strength policy files:

1). Download the Java Cryptography Extension(JCE) Unlimited Strength Jurisdiction Policy Files from the JRE vendor.

2). Create a backup for the files located in TIBCO_HOME/tibcojre/jre_version/lib/security.

3). Extract the files downloaded in Step 1 to TIBCO_HOME/tibcojre/jre_version/lib/security.

4). Restart all TIBCO applications.

Refer to BW Documentation -> BW Palette Reference -> Policy Palette -> Security Policy -> Installing Unlimited Jurisdiction Files for further details.

Issue/Introduction

How to avoid FREAK Vulnerability in TIBCO ActiveMatrix BusinessWorks.

Additional Information

http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

Feedback

thumb_up Yes

thumb_down No

Welcome to "KB Articles"