Security Bulletin: Vulnerability in SSLv3 affects WebSphere DataPower XC10 Appliance versions 2.1 and 2.5 (CVE-2014-3566)

Workarounds and Mitigations

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3.

To disable SSLv3 for XC10 Version 2.5, take the following steps. From the administrative user interface, under Collective-->Settings-->Manage cryptography standard, specify any of the settings FIPS 140-2, SP800-131a transition, SP800-131a transition with TLSv1.2, or SP800-131a strict. Any of these settings will disable SSLv3. Appliance client applications must be configured so that they can support TLSv1, or TLSv1.2 if that is used. The SP800-131a strict configuration requires TLSv1.2. If the 2.5 firmware upgrade given above is applied, or a later level of firmware is used, it is also possible to use a TLSv1 setting, in addition to those already listed. Then click Apply changes now. This will restart the collective, and data in the cache at the time of the restart will be lost.

For Version 2.1, apply the firmware upgrade given above. If the appliance is in a collective, all the appliances in the collective should be upgraded before making the configuration change. Then, from the administrative user interface, under Appliance-->Settings-->Security-->Manage cryptography standard, specify TLSv1, and then click Submit TLS Settings. This operation will restart the collective, and data in the cache at the time of the restart will be lost.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this one.