Security Bulletin
Summary
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM uBuild.
Vulnerability Details
Subscribe to My Notifications to be notified of important product support alerts like this.
|
CVE-ID: CVE-2014-3566
Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM uBuild 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, and 5.0.1.3 on all supported platforms.
Remediation/Fixes
Upgrade to IBM uBuild Fix Pack 4 (5.0.1.4) for 5.0.1 as SSLv3 is automatically disabled:
Note: Old agents may not be able to connect to IBM uBuild when SSLv3 has not been disabled on the agent. To disable SSLv3, upgrade all old agents to the latest version. There are also known issues with older plugins that connect back to the server to upload source changes, issues, reports, etc. when using the IBM JDK/JRE. To avoid any potential issues, upgrade all plugins in your server to the latest version available on our plugins page.
Workarounds and Mitigations
- Note: This mitigation is intended for the servers in "Affected Products and Versions" only. It should not be applied on later releases. Additionally, IBM uBuild Agents with a version earlier than 5.0.0-584477 may be unable to connect after applying this change. It is highly recommended to address this issue by upgrading the IBM uBuild server to 5.0.1.4 and then upgrading all agents.
- Open the file <server_install_dir>/opt/tomcat/conf/server.xml in a text editor
- Find the XML element that begins with <Connector port="${install.server.web.https.port}"
- Update the following attributes within this XML element.
Do not add any extra characters or whitespace. If the attribute does not exist, then create it.
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
Mitigating POODLE attacks on HTTP communication (by default, communication on port 8443)
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
* 21 November 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
PSIRT # 2290 Record # 45075
All source code and/or binaries attached to this document are referred to here as "the Program". IBM is not providing program services of any kind for the Program. IBM is providing the Program on an "AS IS" basis without warranty of any kind. IBM WILL NOT BE LIABLE FOR ANY ACTUAL, DIRECT, SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), EVEN IF IBM, OR ITS RESELLER, HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. |
|---|
 server-example.xml |
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21690838