Vulnerability in RC4 (CVE-2015-2808) stream cipher affects ODBC Drivers used in IBM InfoSphere Information Server

-

Problem(Abstract)

The RC4 "Bar Mitzvah" vulnerability in SSL/TLS might affect some of the DataDirect ODBC Drivers.

Resolving the problem

Add CipherList=DEFAULT:!RC4 attribute to the $DSHOME/.odbc.ini file


On Linux / Unix platforms :

By default, the ODBCINI environment variable points to the .odbc.ini file under $DSHOME. The .odbc.ini file used at runtime is the file pointed to by ODBCINI. To resolve the issue, the customer needs to edit this file.

You can add the attribute in one of the following ways:
1. Add the attribute to each individual Data source (DSN). In this method, it is effective only for that particular DSN.
2. Add the attribute under the [ODBC] section. In this method, it is effective for all the DSNs defined in the .odbc.ini file.

For example, a sample DSN showing the attribute added to the DSN.

[DB2 Wire Protocol]
Driver=/opt/IBM/InformationServer/Server/branded_odbc/lib/VMdb200.so
Description=DataDirect DB2 Wire Protocol Driver
...
...
WithHold=1
CipherList=DEFAULT:!RC4

For example, a sample [ODBC] section from the .odbc.ini file showing the entry
added under the [ODBC] section

[ODBC]
IANAAppCodePage=4
InstallDir=/opt/IBM/InformationServer/Server/branded_odbc
...
...
UseCursorLib=0
CipherList=DEFAULT:!RC4


On Windows platform :

Use the registry editor to edit the registry and add the
attribute to the Data source (DSN)

- Depending on the bitness of the Windows Operating System, choose
the appropiate path (as shown below) and then add a new string value
to the DSN.

- Set the name to CipherList with the value as DEFAULT:!RC4

On Windows 32-bit registry path:
For SYSTEM ODBC Data Source, go to :
HKEY_LOCAL_MACHINE\Software\ODBC\OBDC.INI\<yourdsname>

On Windows 64-bit registry path:
For SYSTEM ODBC Data Source, go to : HKEY_LOCAL_MACHINE\Software\Wow6432Node\ODBC\OBDC.INI\<yourdsname>

The exact driver builds that started support for CipherList option are :

Drivers Fixed Build Number Qualified Build Number
SQL Server Native 07.14.0191 (B0186, U0132) 07.14.0197 (B0190, U0135)
PostgreSQL 07.14.0158 (B0186, U0132) 07.14.0165 (B0190, U0135)
Greenplum 07.14.0159 (B0186, U0132) 07.14.0166 (B0190, U0135)
MySQL 07.14.0126 (B0186, U0132) 07.14.0127 (B0189, U0134)
Sybase 07.14.0126(B0186,U0132) 07.14.0143 (B0189, U0134)
Oracle 07.14.0193 (B0186, U0132) 07.14.0194 (B0189, U0134)
OpenEdge 07.14.0131 (B0186, U0132) 07.14.0136 (B0197, U0139)
DB2 07.14.0156 (B0186, U0132) 07.14.0191 (B0202, U0140)





Popular posts from this blog

Shrink you container size up to 95%.

-
BLAFS is a bloat-aware filesystem for container debloating. The design principles of BLAFS are effective, efficient, and easy to use. It detects the files used by the container, and then debloats the container by removing the unused files. The debloated containers are still functional and can run the same workload as the original containers, but with a much smaller size and faster deployment. https://github.com/negativa-ai/BLAFS?tab=readme-ov-file
Read more

alma linux: dnf Module yaml error: Unexpected key in data

-
While applying recent updates to a server running Rocky Linux 8, an error presented itself. Module yaml error: Unexpected key in data: static_context [line 9 col 3] Module yaml error: Unexpected key in data: static_context [line 9 col 3] The solution turned out to be a simple one. Update the libmodulemd first to correct the problem then perform the dnf updates as usual. dnf update libmodulemd For a detailed explanation as to the cause of this problem.
Read more