IBM Support

IT05253: VULNERABILITY IN SSLV3 AFFECTS IBM STERLING CONNECT:DIRECT FOR MICROSOFT WINDOWS (CVE-2014-3566)

Direct links to fixes

4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if007
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if002
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if010
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if005
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if012
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if015
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if017
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if015
4.7.0.3-SterlingConnectDirectforMicrosoftWindows-x86-fp0003-if020
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if022
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004
4.6.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if028
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004-if007
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if008
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004-if016
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if009
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if013
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if015
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005
4.6.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if018
4.7.0.4-SterlingConnectDirectforMicrosoftWindows-x86-fp0004-if023
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if006
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if013
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if016
4.7.0.5-SterlingConnectDirectforMicrosoftWindows-x86-fp0005-if025
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if005
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if006
4.7.0.6-SterlingConnectDirectforMicrosoftWindows-x86-fp0006-if012
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if001
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if009
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if016
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if018
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if021
4.7.0.7-SterlingConnectDirectforMicrosoftWindows-x86-fp0007-if023
Sterling Connect:Direct for Microsoft Windows 4.6.0 Fix Packs

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • SSLv3 contains a vulnerability that has been referred to as the
Padding Oracle On Downgraded Legacy Encryption (POODLE,
CVE-2014-3566) attack.  SSLv3 is enabled in IBM Sterling
Connect:Direct for Microsoft Windows.

Local fix

  • STRRTC - 446820
VF / VF
Circumvention: None

Problem summary

  • Users Affected:
Sterling Connect:Direct for Windows 4.5.00
Sterling Connect:Direct for Windows 4.5.01
Sterling Connect:Direct for Windows 4.6.0
Sterling Connect:Direct for Windows 4.7.0

Problem Description:
The SSLv3 protocol contains a number of weaknesses including
POODLE (Padding Oracle On Downgraded Legacy Encryption,
CVE-2014-3566). IBM Sterling Connect:Direct for Microsoft
Windows is therefore also vulnerable when the SSLv3 protocol is
used.

Platforms Affected:
Windows

Problem conclusion

  • Resolution Summary:
Updated the SSL/TLS handshake to prevent a remote attacker from
initiating an SSLv3 fallback when the session must be TLS.

Recommendation:
SSLv3 is an obsolete and insecure protocol. Use the TLS
protocol instead. To fully disable SSLv3 and use TLS instead,
ensure that all secure connections are configured to 'Enable
TLS Protocol' and 'Disable Override'.

Delivered In:
Sterling Connect:Direct for Windows 4.5.00 Patch 054
Sterling Connect:Direct for Windows 4.5.01 Patch 020
Sterling Connect:Direct for Windows 4.6.0.5
Sterling Connect:Direct for Windows 4.7.0.2

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT05253
    • 

  • Reported component name
    STR CD FOR WIND
    • 

  • Reported component ID
    5725C9908
    • 

  • Reported release
    470
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2014-10-29
    • 

  • Closed date
    2014-11-12
    • 

  • Last modified date
    2014-11-12
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    STR CD FOR WIND
    • 

  • Fixed component ID
    5725C9908
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRRVY","label":"Sterling Connect:Direct for Microsoft Windows"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.7","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            25 August 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback