Security Bulletin
Summary
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in the Tivoli Storage Manager for Virtual Environments: Data Protection for VMware GUI and FlashCopy Manager for VMware GUI.
Vulnerability Details
CVE-ID: CVE-2014-3566
DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
Tivoli Storage Manager for Virtual Environments: Data Protection for VMware 7.1:
- 7.1.0.0 through 7.1.1.x
FlashCopy Manager for VMware 4.1:
- 4.1.0.0 through 4.1.1.x
Remediation/Fixes
Tivoli Storage Manager for VE: Data Protection for VMware Release | First Fixing VRMF Level | Client Platform | Link to Fix / Fix Availability Target |
7.1 | 7.1.2 | Linux Windows | http://www.ibm.com/support/docview.wss?uid=swg24039450 |
Tivoli Storage FlashCopy Manager for VMware Release | First Fixing VRMF Level | Client Platform | Link to Fix / Fix Availability Target |
4.1 | 4.1.2 | Linux | http://www.ibm.com/support/docview.wss?uid=swg24039478 |
Workarounds and Mitigations
Direct the GUI's Liberty profile webserver to disable use of the SSLv3 and older protocols. This is done by editing the webserver configuration to set the minimum protocol to be Transport Layer Security (TLS) 1.0.
Use the following procedure to edit the webserver configuration:
1. Locate the file server.xml in its current directory:
Windows: C:\IBM\tivoli\tsm\tdpvmware\webserver\usr\servers\veProfile
Linux: /opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfile
2. Edit the server.xml file with a text editor as follows:
a) Locate the existing line that starts with <keyStore id="defaultKeyStore" ...
b) Insert the following 2 lines below it:
<ssl id="veSSLConfig" sslProtocol="TLS" keyStoreRef="defaultKeyStore"/>
<sslDefault sslRef="veSSLConfig"/>
c) Save the changes to server.xml
3. In same directory as server.xml, save the jvm.options file that is attached to this bulletin and located after the Disclaimer.
4. Restart the webserver as follows:
Windows:
a. Click Start > Control Panel > Administrative Tools > Services
b. Right-click Data Protection for VMware Web Server Service and click Restart
Linux: Issue the following command as root:
service webserver restart
The GUI is now operational with SSLv3 and older protocols disabled.
IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support alerts like this.
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
2015/04/20: Updated with TSM for VE VMware 7.12 fix and FCM VMware 4.1.2 fix.
2015/20/22: Updated document expiration
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21690828