IBM Support

Security Bulletin: Vulnerability in SSLv3 affects IBM Support Assistant Team Server (CVE-2014-3566)

Created by Andrew Cook on
Published URL:
https://www.ibm.com/support/pages/node/254429
254429

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM® Support Assistant Team Server.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Support Assistant Team Server version 5.0.0 and 5.0.1.

Remediation/Fixes

The recommended solution is to install the new IBM Support Assistant Team Server 5.0.1.1.

For V5.0.0 through 5.0.1:

Workarounds and Mitigations

IBM Support Assistant is configured with a basic user registry to support authentication and authorization for access to the Administration console. For details on how to change the configuration refer to the Securing Communications section of the IBM Support Assistant Team Server Knowledge Center.

An “ssl” element can be added so the default ssl configuration will not use SSLv3. The sslProtocol attribute in the ssl element defines what protocol is used. Setting it to TLS will override the default.

  1. Open a command prompt, then change directory to the <isa_install>/ISA5/wlp/usr/servers/isa directory.
  2. Open the server.xml file with a text editor
  3. Add "ssl" element

    <ssl id="defaultSSLConfig" 
           keyStoreRef="defaultKeyStore"
           sslProtocol="TLS" />


Refer to the Security Bulletin for WebSphere Application Server Liberty Profile for details.

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Subscribe to Security Bulletins

Acknowledgement

None

Change History

21 October 2014: Original Version Published
29 October 2014: Add targeted fix availability
12 November 2014: Added link for applying the 5.0.1.1 update

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSLLVC","label":"IBM Support Assistant"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Team Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"5.0.1;5.0","Edition":"TeamServer","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
15 June 2018

UID

swg21687722

Page Feedback