Feb 12, 2016, 8:22 AM
155 Posts

FLASH: Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Domino (2016.02.11)

  • Category: Domino Administrator
  • Platform: IBM i
  • Release: 9.0.1
  • Role:
  • Tags:
  • Replies: 8

1.  IBM Domino: Security bulletin

- TITLE: Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Domino
- URL: http://www.ibm.com/support/docview.wss?uid=swg21976262&myns=swglotus&mynp=OCSSKTMJ&mync=E&cm_sp=swglotus-_-OCSSKTMJ-_-E
- ABSTRACT: There are multiple vulnerabilities in IBM® SDK Java (TM) Technology Edition,Version 6 SR16FP15 that is used by IBM Domino.  These issues were disclosed as part of the IBM Java SDK updates in January 2016 and include  the vulnerability commonly referred to as "SLOTH".



Feb 12, 2016, 10:34 AM
53 Posts

I installed the new JVM on a Domino 9.0.1 FP5 IF1 64 bit server and immediately lost the ability to use the Domino Console both on the server and remotely it will just not connect. Upgraded an admin client also and the same result... Console would not connect to any server not just the one with the upgraded JVM. I uninstalled the JVM update and normal service resumed and can connect both locally and remotely again.

I have a PMR open and awaiting IBM's feedback.

Feb 15, 2016, 9:55 AM
53 Posts
Workaround available...

I have just received the following update from IBM:

This was an intentional change by the JVM team in Java6SR16FP20 to tighten security by disabling the MD5 algorithm by default in last JVM release. Unfortunately the Domino server console can only do MD5 right now. Workaround is to re-enabled the MD5 algorithm in JVM

Navigate to this file. The values in blue were pointed out, so removing them should remedy.

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

It is a shame they could not have documented this beforehand!!!

Hopefully this will be resolved in FP6

Feb 17, 2016, 12:28 PM
2 Posts
Thank you for reporting back

Yes, a little heads up from IBM would have been nice. Might have gotten more sleep last night.

Feb 24, 2016, 9:33 AM
53 Posts
Further detail from IBM

The server controller loads on port 2050 with a self-signed MD5 certificate.
This is the reason why we need MD5 removed from jvm/lib/security/java.security parameters jdk.certpath.disabledAlgorithms and jdk.tls.disabledAlgorithms

Various security concerns around the protocols and ciphers used to secure port 2050 were raised with the area developers a while back. There are changes under way.. and we hope to be able to include them in 901FP6.
Currently IBM is investigating various solutions to leverage a more secure cipher for the Java Console/Domino Server Controller.
These solutions are tracked as SPR# RSSNA6UU79 and SPR # PJONA6K3B3, and include TLS 1.2 as supported protocol for securing the Java console.

At present, re-adding MD5 to the  jdk.certpath.disabledAlgorithms and jdk.tls.disabledAlgorithms  will allow you to use the Java Console with JVM SR16FP20.

Mar 28, 2016, 7:03 PM
36 Posts
New version of Java Patch dated 21/3/16

Does this new java patch fix this issue? JVMPatch_SR16FP20_RSSNA6UU79_W64_901.5_Server ? It's dated 2016.03.21 released on 2016.03.25 as

There's no specific fix list available for this patch it seems. 



Mar 30, 2016, 5:35 AM
1 Posts
New version of Java Patch dated 21/3/16

The new JVM patch alone does not fix the issue.

I had to install 9.0.1FP5 IF2 in addition to the new JVM patch and together fixed the issue.

This is my experience.