IBM Support

PI31516: Enable strict CBC padding checks on TLS connections (CVE-2014-8730)

Download


Abstract

Enable strict CBC padding checks on TLS connections (CVE-2014-8730)

Download Description

NOTE: For IBM HTTP Server 7.0 and later, this interim fix is superceded by the PI34229 interim fix. The PI34229 interim fix contains the fix for PI31516. You should install the PI34229 interim fix for those versions.

PI31516 resolves the following problem:

ERROR DESCRIPTION:
Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM HTTP Server.

LOCAL FIX:

PROBLEM SUMMARY:
IBM HTTP Server could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE like attack to decrypt sensitive information and calculate the plain text of secure connections.

PROBLEM CONCLUSION:
Strict CBC padding checks have been enabled for IHS on TLS connections.

NOTE: This interim fix also includes the updates for PI27904 which disables SSL v3 by default on IHS 7.0 and newer. If needed, you can re-enable the SSL v3 protocol by adding the following directive to your IHS configuration file:

SSLProtocolEnable SSLv3

The 'SSLProtocolEnable' directive was added into IHS 7.0 in this same update.

This fix is targeted for IBM HTTP Server fix packs:
- 7.0.0.37
- 8.0.0.11
- 8.5.5.5

Prerequisites

IMPORTANT NOTE: The interim fix for 6.1.0.47 requires the installed global GSKit be at a minimum level as provided by either of the following interim fixes, else IBM HTTP Server may not start after application of this interim fix: PI05309, PI09443, PI36417

UpdateInstaller is required for IHS 7.0 and 6.1 interim fixes.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

For IHS 8.0 and 8.5.5, the interim fix can be installed using Installation Manager (IM) with the Web-based ("live") repository provided by IBM. It might be necessary to de-select the "Show recommended only" option within IM and to expand "Only fixes for version 8.x.y.z" to see the fix listed.

The interim fix is also available from Fix Central at the link listed in the Download Package section below.

Download Package

NOTE: For IBM HTTP Server 7.0 and later, this interim fix is superceded by the PI34229 interim fix. The PI34229 interim fix contains the fix for PI31516. You should install the PI34229 interim fix for those versions.

The 6.1 version of this interim fix is a cumulative interim fix. See the fix readme.txt for more information.

On
[{"DNLabel":"6.1.0.47 AixPPC32","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"1858131","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-AixPPC32-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 HpuxIA64","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"5316810","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-HpuxIA64-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 HpuxPaRISC","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"2033212","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-HpuxPaRISC-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 LinuxPPC32","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"1940712","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-LinuxPPC32-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 LinuxS390","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"1688095","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-LinuxS390-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 LinuxX32","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"1626339","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-LinuxX32-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 SolarisSparc","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"3831846","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-SolarisSparc-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 SolarisX64","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"1654727","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-SolarisX64-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 WinX32","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"4600783","DNPlat":{"label":"Windows","code":"PF033"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-WinX32-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5.4;8.5.5.3;8.5.5.2;8.0.0.9;8.0.0.10;7.0.0.35;7.0.0.33;6.1.0.47","Edition":"Advanced;Base;Enterprise;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24039197

Page Feedback