Security Bulletin: Vulnerability in SSLv3 affects FileNet Content Manager, FileNet BPM and IBM Content Foundation (CVE-2014-3566)

Security Bulletin

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is a configurable option in FileNet Content Manager and FileNet BPM products. If using SSLv3 with these products, please refer to the sections below to remediate the POODLE security vulnerability.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: A remote attacker could obtain sensitive information, caused by a design error with the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM FileNet Content Manager 5.0.0, 5.1.0, 5.2.0, 5.2.1 (includes CE, CSS and CFS)
IBM Content Foundation 5.2.0, 5.2.1 (includes CPE and CSS)
IBM FileNet Business Process Manager 4.5.1, 5.0.0

Remediation/Fixes

Upgrade to Java Runtime Environment (JRE) 1.6.0 SR16 FP2 or higher where SSLv3 is disabled by default to avoid the POODLE security vulnerability. By installing the applicable fixes in the table below, the private IBM JRE used by Process Engine (PE), Content Engine (CE/CPE) and Content Search Services (CSS) will be updated to 1.6.0 SR16 FP2.

Product	VRMF	Remediation/First Fix Available
FileNet Content Manager	5.0.0 5.1.0 5.2.0 5.2.1	5.0.0.3-P8CE-FP003 - May 19, 2015 5.1.0.5-P8CE-FP005 - Jan 29, 2015 5.1.0.0-P8CSS-IF010 - Jan 29, 2015 5.2.0.3-P8CPE-IF005 - Mar 10, 2015 5.2.0.2-P8CSS-IF002 - Mar 10, 2015 5.2.1.0-P8CPE-IF002 - April 8, 2015 5.2.1.0-P8CSS-IF001 - April 8, 2015
IBM Content Foundation	5.2.0 5.2.1	5.2.0.3-P8CPE-IF005 - Mar 10, 2015 5.2.0.2-P8CSS-IF002 - Mar 10, 2015 5.2.1.0-P8CPE-IF002 - April 8, 2015 5.2.1.0-P8CSS-IF001 - April 8, 2015
FileNet Business Process Manager	4.5.1 5.0.0	4.5.1.4-P8PE-IF007 - April 8, 2015 5.0.0.7-P8PE-IF001 - Dec 10, 2014 5.0.0.8-P8PE-FP008 - Jan 29, 2015

IBM recommends that you review your entire environment to identify products and components that enable the SSLv3 protocol. The only way to truly mitigate the SSLv3 security vulnerability is to disable the SSLv3 protocol. To establish secure connections between components, there are other protocols such as the Transport Layer Security (TLS) protocol that can be used.

The SSLv3 vulnerability must be addressed at 2 different levels, the FileNet P8 level and the application server level.

At the FileNet P8 level (which includes Content Engine (CE/CPE), Process Engine (PE) and Content Search Services (CSS)), upgrade to the appropriate releases listed in the table above.

At the application server level (where Content Engine (CE/CPE) and Content Federated Services (CFS) reside)
- WebSphere:
1) Apply the appropriate Interim Fix listed in this Security Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21687173
2) Configure one of the following SSL protocol options on the CE/CPE and CFS WebSphere Application Servers: TLS, TLSv1, TLSv1.1, TLSv1.2, SSL_TLS, SSL_TLSv2

- WebLogic, JBoss:
Either upgrade the application server Java Runtime Environment (JRE) to SR16 FP2 or higher or disable SSLv3 using the links in the Workarounds and Mitigations section below.

The CE/CPE Client Downloader now supports the Transport Layer Security (TLS) protocol as an alternative to the SSLv3 protocol in the releases listed in the table above. CE/CPE clients that use the Content Engine (CE/CPE) Client Download API, such as ICN Configuration Manager and Content Federation Services setup, should also be upgraded to JRE SR16 FP2 or higher.

Workarounds and Mitigations

Content Federation Services (CFS)
Content Federation Services (CFS) uses SSLv3 with the CE/CPE Client Downloader. For 5.2.0.2-CFS-FP002 and prior, launch the CFS installer program specifying JRE SR16 FP2 or higher to use the TLS protocol instead of SSLv3.
The command syntax is:

<Executable file name for CFS installer> LAX_VM <SR16FP2 Java executable>
For example:
(Windows)
5.1.0-CFS-WIN.EXE LAX_VM
C:\Program Files (x86)\Java\JRE6_SR16FP2\bin\java.exe

(UNIX)
./5.1.0-CFS-<PLATFORM>.BIN LAX_VM /opt/ibm-java-jre-6.0-16.2-i386/jre/bin/java

Content Search Services (CSS)
If unable to upgrade to the appropriate CSS release (5.1.0.0-P8CSS-IF010, 5.2.0.2-P8CSS-IF002 or 5.2.1.0-P8CSS-IF001), that automatically disables SSLv3, the procedure to disable SSLv3 can be performed manually, following the steps below.

1) Add the following to the last line in the Content Search Services (CSS) startup script. (It can be added after the shutdown on OOM parameter) -Dcom.ibm.jsse2.usefipsprovider=true

2) In the file [ECMTS_HOME]\Java60\jre\lib\security\java.security change the lines:
#ssl.SocketFactory.provider=
#ssl.ServerSocketFactory.provider=
to
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

3) Also in the file [ECMTS]\Java60\jre\lib\security\java.security change the lines:
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
to
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
(The second row was added and then all the numbers were increased by 1)

If unable to install JRE SR16 FP2 or higher on the Content Engine (CE/CPE) server, Content Federated Services (CFS) server, and ECM clients (as is the case for WebLogic or JBoss configurations), the following links describe how to disable SSLv3 at the application server level.

How to disable SSLv3 for WebSphere:
http://www.ibm.com/support/docview.wss?uid=swg21687173

How to disable SSLv3 for JBoss:
https://access.redhat.com/solutions/1232233

How to disable SSLv3 for WebLogic:
https://support.oracle.com/rs?type=doc&id=1936300.1

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

IBM SDK fixes to mitigate against the Poodle security vulnerabilityhttp://www.ibm.com/support/docview.wss?uid=swg21688165
Vulnerability in SSLv3 affects IBM WebSphere Application Serverhttp://www.ibm.com/support/docview.wss?uid=swg21687173
Oracle SSL v3.0 "Poodle" Vulnerability - CVE-2014-3566
http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html

Acknowledgement

None

Change History

10 December 2014: Original Version Published
12 March, 2015: Added initial releases
16 March 2015: Corrected typo in Transport Socket Layer (TLS), was incorrectly "TSL"
8 April 2015: Updated the Remediation/Fixes and Workarounds/Mitigations sections for 521 releases.
9 April 2015: Updated Remediation/Fixes for private JRE and Workarounds and Mitigations for CFS.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Search Services","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2.1;5.2.0;5.1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNW2F","label":"FileNet P8 Platform"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Process Engine","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"5.0","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Federation Services","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2;5.1;5.0;4.5.1","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Engine","Platform":[{"code":"","label":""}],"Version":"5.2.1;5.2.0;5.1.0;5.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

Security Bulletin: Vulnerability in SSLv3 affects FileNet Content Manager, FileNet BPM and IBM Content Foundation (CVE-2014-3566)