Security Bulletin
Summary
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in Rational Insight.
Vulnerability Details
CVE-ID: CVE-2014-3566
Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
Rational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.4, 1.1.1.5 and 1.1.1.6
Remediation/Fixes
Apply the recommended fixes to all affected versions of Rational Insight.
Rational Insight 1.1
- Download the IBM Cognos Business Intelligence 10.1.1 Interim Fix 9.
Review technote 1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1 for detailed instructions.
Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2
- Download the IBM Cognos Business Intelligence 10.1.1 Interim Fix 9.
Read technote 1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x for the detailed instructions for patch application.
Rational Insight 1.1.1.4, 1.1.1.5 and 1.1.1.6
- If the Data Collection Component (DCC) or Jazz Reporting Serivce (JRS) are used, review technote http://www.ibm.com/support/docview.wss?uid=swg21687762 for additional information specific to the Jazz Team Server that may be used by DCC and/or JRS.
Workarounds and Mitigations
SSL secured communication occurs between client and server, for example between a Web browser and a Web server on which the Rational Insight is installed and configured. To mitigate this issue and protect against POODLE attack, it is enough to secure either the Web browser or the server (or both). One suggestion is to secure the Web server into which DCC and/or JRS are installed and configured.
See the following links for general information on how to disable SSLv3 in Apache Tomcat and IBM WebSphere:
- IBM WebSphere: http://www.ibm.com/support/docview.wss?uid=swg21687173
- Apache Tomcat: https://access.redhat.com/solutions/1232233
Also reference http://www.ibm.com/support/docview.wss?uid=swg21687762 for additional information specific to the Jazz Team Server that may be used by DCC and/or JRS.
IBM recommends that you review your entire environment to identify other areas that enable the SSLv3 protocol and take appropriate mitigation such as disabling SSLv3 and remediation actions.
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
27 October 2014: Original copy published
17 March 2015: Remediation information updated
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
PSIRT # 2290 Record # 44864
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21687602