IBM Support

Security Bulletin: Vulnerability in SSLv3 affects IBM Installation Manager (CVE-2014-3566)

Created by Stuart Frische on
Published URL:
https://www.ibm.com/support/pages/node/517559
517559

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM Installation Manager.

Vulnerability Details

 Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

CVE-ID: CVE-2014-3566

Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

All versions of IBM Installation Manager.

Remediation/Fixes

None

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3.

Workarounds and Mitigations

While it is not possible to disable SSLv3 in the IBM Installation Manager, you can use one of the options below to ensure it does not use the SSLv3 protocol.

Option #1: Use local paths to access repositories instead of HTTP servers

The IBM Installation Manager connects to package repositories to download product artifacts and instructions for installing it. Rather than using an HTTP server to host these repositories, you can access the repository using a local path.

A common way to do this is to host a repository on a network share that is accessible by any machine in your environment using a UNC path. You can use domain credentials to restrict access to respective repositories as needed.


Option #2: Upgrade to IBM Installation Manager 1.8.0 or newer and adopt the TLS protocol in your HTTP server

IBM Installation Manager 1.8.0 or newer can communicate with servers that use the TLS protocol. It is recommended that you upgrade all installations of Installation Manager to version 1.8.0 or later and convert all HTTP servers hosting package repositories to use the TLS protocol and disable SSLv3.

The “IBM Installation Manager Downloads” link in the references section of this document will take you to a page where you can find any version of Installation Manager that has been released. Click on the “Download Document” link to access the download document for the version of the IBM Installation Manager that you’d like to download. Before downloading and installing, we also recommend that you review the supported platforms by clicking the “Detailed System Requirements” link in the same document.

Instructions for converting an HTTP server to use TLS and disabling SSLv3 can be found in its respective documentation.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

IBM Installation Manager Downloads
Disabling SSLv3 in IBM HTTP Server

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Subscribe to Security Bulletins

Acknowledgement

None

Change History

* 30 October 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSDV2W","label":"IBM Installation Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General information","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF022","label":"OS X"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"1.0;1.0.0.1;1.0.0.2;1.0.0.3;1.0.0.4;1.0.0.5;1.1;1.1.0.1;1.1.0.2;1.1.1;1.1.2;1.2;1.2.1;1.3;1.3.1;1.3.2;1.3.3;1.3.4;1.3.4.1;1.4;1.4.1;1.4.2;1.4.3;1.4.4;1.5;1.5.0.1;1.5.1;1.5.2;1.5.3;1.6;1.6.1;1.6.2;1.6.3;1.6.3.1;1.7;1.7.1;1.7.2;1.7.3;1.8","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
25 October 2021

UID

swg21688724

Page Feedback