IBM has released the following fixes for IBM Security Access Manager Appliance in response to CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754.
CVEID: CVE-2017-5753
CVEID: CVE-2017-5715
CVEID: CVE-2017-5754
Affected Product Name
| Affected Versions
—|—
IBM Security Access Manager for Web | 7.0 - 7.0.0.34
IBM Security Access Manager for Web | 8.0 - 8.0.1.7
IBM Security Access Manager for Mobile | 8.0 - 8.0.1.7
IBM Security Access Manager | 9.0-9.0.4.0
Product
| VRMF |APAR|**Remediation **
—|—|—|—
IBM Security Access Manager for Web | 7.0 - 7.0.0.34 | IJ06994 | Apply Interim Fix 35:
7.0.0-ISS-WGA-IF0035
IBM Security Access Manager for Web | 8.0 - 8.0.1.7 | IJ06985 | Upgrade to 8.0.1.8:
8.0.1-ISS-WGA-FP0008_ _
IBM Security Access Manager for Mobile | 8.0 - 8.0.1.7 | IJ06991 | Upgrade to 8.0.1.8:
8.0.1-ISS-ISAM-FP0008
IBM Security Access Manager | 9.0-9.0.4.0 | IJ06985 | Upgrade to 9.0.5.0:
9.0.5-ISS-ISAM-FP0000
Please note that there is a potential change to performance when the Spectre/Meltdown fixes are applied. As a result, the Spectre/Meltdown fixes are disabled by defaultin some environments.
In ISAM 9, the fixes are disabled by default on the following two hypervisors:
- XenServer
- Amazon Web Services (AWS)
The fix is enabled by default in all other ISAM 9 environments.
In ISAM 7 & 8 environments, the Spectre/Meltdown fixes are disabled by default in allenvironments.
Administrators can use the following Advanced Tuning Parameter to enable and disable the Spectre/Meltdown fixes. You can change the value for this Advanced Tuning Parameter in the local management interface by selecting Manage System Settings > System Settings > Advanced Tuning Parameters.
kernel.disable.spectre = true/false
true - indicates that the fix is disabled.
false - indicates that the fix will be enabled.
IBM recommends using a value of kernel.disable.spectre = false in all ISAM environments.Administrators are advised to evaluate the performance in their environments and make deployment adjustments accordingly.
Performance impact summary
Administrators can expect performance degradation after they enable the mitigation for the vulnerability. Processing times are impacted and as such, users submitting browser-based requests are likely to experience increased response times.
The impact on appliance performance is estimated to be in the 0% to 10% range for most IBM Security Access Manager environments.
However, for XenServer and Amazon Web Service (AWS) environments, testing has shown that the impact on performance from 0% to upwards of 20%.
Due to the nature of more complex environments, this performance degradation may be higher.
None