Security Bulletin
Summary
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in IBM WebSphere Message Broker and IBM Integration Bus.
Vulnerability Details
CVEID: CVE-2014-3566
DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-3568
Description: OpenSSL could allow a remote attacker bypass security restrictions. When configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/97037 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVE-2014-3568 applies to the DataDirect Drivers shipped with WebSphere Message Broker and IBM Integration Bus. This only affects users of DataDirect ODBC SSL connectivity.
Affected Products and Versions
IBM Websphere Message Broker V7.0 and V8.0
IBM Integration Bus V9.0
IBM WebSphere Message Broker Hypervisor Edition V8.0
IBM Integration Bus Hypervisor Edition V9.0
IBM SOA Policy pattern for Red Hat Enterprise Linux Server
Remediation/Fixes
A fix is available for users of the DataDirect Drivers (ODBC SSL connectivity) shipped with WebSphere Message Broker 8.0 and IBM Integration Bus 9.0
| Product | VRMF | APAR | Remediation/Fix |
| IBM Integration Bus | V9.0.0.0- 9.0.0.3 | IT07249 | An interim fix is available from IBM Fix Central for all platforms. http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=IT07249 The APAR is targeted to be available in fix pack 9.0.0.4 |
| WebSphere Message Broker | V8.0.0.2 - 8.0.0.5 | IT07249 | An interim fix is available from IBM Fix Central for all platforms. http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT07249 The APAR is targeted to be available in fix pack 8.0.0.6. |
The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?rs=849&uid=swg27006308
Workarounds and Mitigations
WebSphere Message Broker and IBM Integration Bus
The full list of acceptable protocols and their meaning are http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/protocols.html
SSLv3 users MUST disable SSLv3 on WebSphere Message Broker and IBM Integration Bus servers and clients and switch to using the TLS protocol. The instructions on how to set up Message Broker and Integration Bus to use TLS instead of SSLv3 are given as URLs to the IBM Knowledge Center for IBM Integration Bus V9.0. The instructions are valid for all the versions of the product currently in service.
The inbound connections
Inbound HTTP connections using the broker-wide listener:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12234_.htm
mqsichangeproperties broker_name -b httplistener -o HTTPSConnector -n sslProtocol -v TLS
Inbound HTTP connections using the integration server listener will by default use TLS. If however it has been modified to match the broker-wide listener, use these instructions to make the necessary changes to use TLS:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12234_.htm
mqsichangeproperties broker_name -e integration_server_name -o HTTPSConnector -n sslProtocol -v TLS
Inbound SOAP connections using the broker-wide listener:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12234_.htm
mqsichangeproperties broker_name -b httplistener -o HTTPSConnector -n sslProtocol -v TLS
Inbound SOAP connections using the integration server listener will by default use TLS. If however it has been modified to match the broker-wide listener, use these instructions to make the necessary changes to use TLS:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12234_.htm
mqsichangeproperties broker_name -e integration_server_name -o HTTPSConnector -n sslProtocol -v TLS
TCPIP Server inbound:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/bp34105_.htm
mqsichangeproperties broker_name -c TCPIPServer -o myTCPIPServerService -n SSLProtocol -v TLS
WebAdmin inbound:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/bj23620_.htm
mqsichangeproperties broker_name -b webadmin -o HTTPSConnector -n sslProtocol -v TLS
The outbound connections
Once servers are changed to use TLS in favour of SSLv3 you will need to update outbound settings in WebSphere Message Broker and IBM Integration Bus using the following commands. In all of the following instructions, TLS can be substituted for SSL_TLS or SSL_TLSv2 if needed (e.g. to support fallback to SSLv3 in a transition period whilst the servers are being updated to use TLS). For making this change in the toolkit APAR IT04685 is required. Please contact IBM support.
For HTTP connections
Basic instructions: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12235_.htm
In the SSL tab of the Request node(s) select TLS for the Protocol.
For SOAP connections that have been modified to use the non-default SSLv3 protocol
Basic instructions: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap34022_.htm
In the SSL tab of the Request node(s) select TLS for the Protocol.
TCPIP Client:
General information: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/bp34100_.htm
mqsichangeproperties broker_name -c TCPIPClient -o myTCPIPClientService -n SSLProtocol -v TLS
JMS Nodes:
Some general information here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12237_.htm
Follow instructions as provided by your JMS Provider.
CICS Nodes:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/bc16170_.htm?cp=SSMKHH_9.0.0%2F1-14-2-1-5-5
The CICS nodes use TLS by default, so no change needed.
Security providers:
WSTrust:
set the environment variable MQSI_STS_SSL_PROTOCOL to "TLS"
TFIM:
set the environment variable MQSI_TFIM_SSL_PROTOCOL to "TLS"
ODBC (DataDirect) OpenSSL as configured in odbc.ini:
The ODBC Oracle Wire Protocol driver allows for the EncryptionMethod connect option to be set to a value of 5, which means only use TLS1 or higher. Setting EncryptionMethod=5 for the Oracle Wire Protocol driver will avoid POODLE. This functionality has been available since the 6.1 version of the Oracle WP driver. The providers of DataDirect drivers are working on similar functionality to all other ODBC drivers that support SSL and upgrading the version of OpenSSL used within the drivers to pickup the enhancement to SSL negotiation.
The client-based ODBC drivers (DB2 Client and Informix Client) rely on the SSL implementation within the Database’s client libraries. Please see the documentation for your client libraries to learn about possible exposure to POODLE.
IBM recommends that you review your entire environment to identify other areas that enable SSLv3 protocol and take appropriate mitigation (such as disabling SSLv3) and remediation actions
WebSphere Message Broker v8 HVE, IBM Integration Bus V9 HVE and IBM SOA Policy pattern for Red Hat Enterprise Linux Server
IBM recommends that you review your entire environment to identify vulnerable releases of SSLv3 including your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information.
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
Acknowledgement
None
Change History
23 Oct 2014 - Original version Published
30 Oct 2014 - Added OpenSSL Security Vulnerability (CVE-2014-3568)
23 Mar 2015- Fix for DataDirect Driver users
16 April 2015- Changed wording to 'MUST disable SSLv3'
23 Sep 2015- Revised expiry date
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Product Synonym
WMB IIB
Was this topic helpful?
Document Information
Modified date:
19 August 2022
UID
swg21687678