IBM Support

Security Bulletin: Vulnerability in SSLv3 affects Rational Insight (CVE-2014-3566)

Created by Cheng-Yee Lin on
Published URL:
https://www.ibm.com/support/pages/node/254269
254269

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in Rational Insight.

Vulnerability Details

CVE-ID: CVE-2014-3566

Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Rational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.4, 1.1.1.5 and 1.1.1.6

Remediation/Fixes

Apply the recommended fixes to all affected versions of Rational Insight.



Rational Insight 1.1


Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2


Rational Insight 1.1.1.4, 1.1.1.5 and 1.1.1.6

Workarounds and Mitigations

SSL secured communication occurs between client and server, for example between a Web browser and a Web server on which the Rational Insight is installed and configured. To mitigate this issue and protect against POODLE attack, it is enough to secure either the Web browser or the server (or both). One suggestion is to secure the Web server into which DCC and/or JRS are installed and configured.

See the following links for general information on how to disable SSLv3 in Apache Tomcat and IBM WebSphere:


Also reference http://www.ibm.com/support/docview.wss?uid=swg21687762 for additional information specific to the Jazz Team Server that may be used by DCC and/or JRS.

IBM recommends that you review your entire environment to identify other areas that enable the SSLv3 protocol and take appropriate mitigation such as disabling SSLv3 and remediation actions.

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

27 October 2014: Original copy published
17 March 2015: Remediation information updated

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PSIRT # 2290 Record # 44864

[{"Product":{"code":"SSRL5J","label":"Rational Insight"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"1.1;1.1.1;1.1.1.1;1.1.1.2;1.1.1.4;1.1.1.5;1.1.1.6","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21687602