Security Bulletin
Summary
IBM WebSphere Application Server and IBM Tivoli Monitoring are shipped as a component of IBM Tivoli Network Manager IP Edition. Information about a security vulnerability (CVE-2014-3566) affecting IBM WebSphere Application Server and IBM Tivoli Monitoring has been published in a security bulletin.
SSLv3 is enabled in all versions of IBM Tivoli Network Manager IP Edition through the IBM WebSphere Application Server.
Multiple vulnerabilities in OpenSSL affect IBM Tivoli Network Manager IP Edition V3.9 Fix Pack 4 HTTPS support for Perl Collectors (CVE-2014-3566, CVE-2014-3513, CVE-2014-3567,CVE-2014-3568 and August 6th 2014 advisories).
IBM Tivoli Network Manager IP Edition 3.9 Fixpack 4 added SSLv3 HTTPS support for three Perl Collectors (Alcatel5620SamSoap collector, Alcatel5620SamSoapFindtoFile collector, and Alcatel5529IdmSoap collector) which required the user to install OpenSSL.
By default these three Perl Collector are disabled, so users are not vulnerable if they leave them disabled. The product does not include HTTPs support, the user needs to configure it and add the OpenSSL package.
1. SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. By default, SSLv3 is not enabled in IBM Tivoli Network Manager IP Edition V3.9 Fix Pack 4.
CVE-ID:CVE-2014-3566
2. Security vulnerabilities have been discovered in OpenSSL 9.8 package.
CVE-IDs: CVE-2014-3513, CVE-ID:CVE-2014-3567 and CVE-ID:CVE-2014-3568.
3. Security vulnerabilities have been discovered in OpenSSL 9.8 package that were reported on August 6th 2014 by the OpenSSL Project.
CVE-ID: CVE-2014-3512,CVE-ID: CVE-2014-3509,CVE-ID: CVE-2014-3506,
CVE-ID: CVE-2014-3507,CVE-ID: CVE-2014-3511,CVE-ID: CVE-2014-3505
CVE-ID: CVE-2014-3510,CVE-ID: CVE-2014-3508,CVE-ID: CVE-2014-5139
To address recent OpenSSL advisories, these three Perl collectors have been updated to use TLS as the default cryptographic protocol for communicating with the source EMS.
Vulnerability Details
Please consult the security bulletin IBM WebSphere Application Server and IBM Tivoli Monitoring for vulnerability details and information about fixes for these products.
Tivoli Network Manager IP Edition V3.9 Fix Pack 4 HTTPS support for Perl Collectors vulnerability details:
CVE-ID: CVE-2014-3566
DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused
by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a
man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On
Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of
encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-3513
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak in the DTLS Secure Real-time Transport Protocol (SRTP) extension parsing code. By sending multiple specially-crafted handshake messages, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97035 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3567
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97036 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3568
DESCRIPTION: OpenSSL could allow a remote attacker bypass security restrictions. When configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97037 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-3512
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an internal buffer overrun. A remote attacker could exploit this vulnerability using invalid SRP parameters sent from a malicious server or client to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95158 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3509
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a race condition in the ssl_parse_serverhello_tlsext() code. If a multithreaded client connects to a malicious server using a resumed session, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95159 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3506
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error when processing DTLS handshake messages. A remote attacker could exploit this vulnerability to consume an overly large amount of memory.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95160 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3507
DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending specially-crafted DTLS packets, a remote attacker could exploit this vulnerability to leak memory and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95161 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3511
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol versions by the OpenSSL SSL/TLS server code when handling a badly fragmented ClientHello message. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to TLS 1.0.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95162 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-3505
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when handling DTLS packets. A remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95163 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3510
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in anonymous ECDH ciphersuites. A remote attacker could exploit this vulnerability using a malicious handshake to cause the client to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95164 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3508
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in OBJ_obj2txt. If applications echo pretty printing output, an attacker could exploit this vulnerability to read information from the stack.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95165 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-5139
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when an SRP ciphersuite is specified without being properly negotiated with the client. A remote attacker could exploit this vulnerability to cause the client to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95166 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
All versions of Tivoli Network Manager IP Edition are affected by IBM WebSphere Application Server and IBM Tivoli Monitoring (CVE-2014-3566) advisories.
Tivoli Network Manager IP Edition V3.9 Fix Pack 4 is only affected by all of the OpenSSL advisories when using HTTPS support for Perl Collectors.
Remediation/Fixes
1. Tivoli Network Manager IP Edition V3.9 Fix Pack 4 HTTPS support for Perl Collectors,
| Affected Product and Version | Fixed Version | Download Fix URL |
| IBM Tivoli Network Manager IP Edition V3.9 Fix Pack 4 (when HTTPS support for Perl Collectors is enabled) | IBM Tivoli Network Manager IP Edition V3.9 Fix Pack 4 Interim Fix 1. | http://www-01.ibm.com/support/docview.wss?uid=swg24039027 |
2. For IBM WebSphere, consult the IBM WebSphere Application Server security bulletin.
| Affected Product and Version(s) | Product and Version shipped as a component |
| Tivoli Network Manager 3.8 | Bundled the TIP version 1.1.1.x, IBM WebSphere version 6.1.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 5. |
| Tivoli Network Manager 3.9 | Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. |
| Tivoli Network Manager 4.1 | Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. |
| Tivoli Network Manager 4.1.1 | Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. |
Workarounds and Mitigations
IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions.
Get Notified about Future Security Bulletins
References
OpenSSL Advisory on above listed CVEs
Change History
Jan 7th 2015
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21683043