Security Bulletin
Summary
Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects Content Manager Enterprise Edition.
Vulnerability Details
DESCRIPTION:
Product could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
Remediation/Fixes
|
Product |
VRMF | APAR | Remediation/First Fix |
| Content Manager Enterprise Edition | 8,5 | None | Contact Level 2 support . Request fix number: /002_850002atf |
Workarounds and Mitigations
1. If using DB2 make sure that DB2 level is one of the following. If not please upgrade DB2 first.
- Db2 V9.7 fipxack or later (gskit level 8.0.14.32)
- Db2 V10.1 fixpack 3a or later (gskit level 8.0.14.43)
- DB2 V10.5 GA or later (gskit 8.0.14.27)
2. Set the environment variable GSK_STRICTCHECK_CBCPADBYTES for the Library Server. Follow the instructions according to the database/platform used.
a. For Library Server using DB2 on Unix:
- Update the profile.env in the database instance of the Library Server to include the environment variable:
- GSK_STRICTCHECK_CBCPADBYTES in the DB2ENVLIST parameter
- Update the user profile to do:
- export GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE
Note: Refer to this link for more details:
http://www.ibm.com/support/knowledgecenter/SSRS7Z_8.5.0/com.ibm.installingcm.doc/dcmca128.htm?lang=en
b. For Library Server using DB2 or Oracle on Windows:
Set the system environment variable using control panel to set the variable GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE
c. For Library Server using Oracle on Unix:
Setting the environment variable GSK_STRICTCHECK_CBCPADBYTES:
o You must be an Oracle DBA or other user with authorization to modify the Oracle listener.ora configuration file.
o Modify listener.ora by identifying the entry under the named listener used to service the IBM Content Manager library server that begins with "ENVS". In the same ENVS entry, add the variable GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE. Example: (ENVS="EXTPROC_DLLS=ONLY:C:\ibm\db2cmv8\lib\ICMPORSP.dll; C:\ibm \db2cmv8\libICMPORSV.dll,IBMCMROOT=C:\IBM\db2cmv8,PATH=C:\IBM\db2cmv8\icc64\lib64, GSK_STRICTCHECK_CBCPADBYTES=GSK_TRUE")
o Restart the Oracle listener.
Get Notified about Future Security Bulletins
References
Change History
17 December 2014 Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
29 January 2024
UID
swg21693176