IBM Support

Security Bulletin: Vulnerability in SSLv3 affects Tivoli Storage Manager Operations Center (CVE-2014-3566)

Created by Rob Jose on
Published URL:
https://www.ibm.com/support/pages/node/522757
522757

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in Tivoli Storage Manager Operations Center.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Tivoli Storage Manager Operations Center v6.4 and v7.1

Remediation/Fixes

TSM OC Release

Remediation/First Fix
6.46.4.2.100 - ALL Operating Systems (see NOTE below)
7.17.1.1.100 - ALL Operating Systems


NOTE:
For Operations Center 6.4, you must first uninstall Operations Center 6.4, delete the cached files, and then reinstall Operations Center using the following instructions:

  1. Download the Remediation Fix for Operations Center 6.4.2.100 (see above).
  2. Open IBM Installation Manager, click Uninstall, and follow the instructions in the wizard.
  3. Close IBM Installation Manager.
  4. Copy the following file to a different directory: <install dir>/tsm/ui/Liberty/usr/servers
    /guiServer/serverConnection.properties
  5. Delete the following directory: <install dir>/tsm/ui
  6. Open IBM Installation Manager, click Install, and follow the instructions in the wizard.
  7. Close IBM Installation Manager.
  8. Copy the serverConnection.properties file from its temporary location to the following directory: <install dir>/tsm/ui/Liberty/usr/servers

Workarounds and Mitigations

Direct the GUI's Liberty profile web server to disable use of the SSLv3 and older protocols. This is done by editing the web server configuration to set the minimum protocol to be Transport Layer Security (TLS) 1.0.

Use the following procedure to edit the web server configuration:

For TSM Operations Center v6.4.2 and v7.1.0

  1. Locate the server.xml file in its current directory:
    Windows: C:\Tivoli\TSM\ui\Liberty\usr\servers\guiServer
    AIX / Linux: /opt/tivoli/tsm/ui/Liberty/usr/servers/guiServer
  2. Edit the server.xml file with a text editor as follows:
    a) Locate the existing line that starts with <keyStore id="defaultKeyStore" ...
    b) Insert the following 2 lines below it:
    <ssl id="ocSSLConfig" sslProtocol="TLS" keyStoreRef="defaultKeyStore"/>
    <sslDefault sslRef="ocSSLConfig"/> 
    c) Save the changes to server.xml
  3. In same directory as server.xml, save the jvm.options file that is attached to this bulletin and located after the Disclaimer.
  4. Restart the web server as follows:
    • Windows: 
      a. Click Start > Control Panel > Administrative Tools > Services
      b. Right-click Tivoli Storage Manager Operations Center Service and click Restart 
    • AIX / Linux: Issue the following command as root:

      • service web server restart

For TSM Operations Center v7.1.1
  1. Locate the bootstrap.properties file in its current directory:
    Windows: C:\Tivoli\TSM\ui\Liberty\usr\servers\guiServer
    AIX / Linux: /opt/tivoli/tsm/ui/Liberty/usr/servers/guiServer
  2. Edit the value of tsm.https.sslRef to SP800131atransition and save changes
  3. In same directory as bootstrap.properties, save the jvm.options file that is attached to this bulletin and located after the Disclaimer.
  4. Restart the web server as follows:
    • Windows: 
      a. Click Start > Control Panel > Administrative Tools > Services
      b. Right-click Tivoli Storage Manager Operations Center Service and click Restart 
    • AIX / Linux: Issue the following command as root:

      • service web server restart

The GUI is now operational with SSLv3 and older protocols disabled.

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

19 Dec 2014: Original document published
19 May 2015 Updated Remediation instructions for Operations Center 6.4.
01 Dec 2015: Updated to never expire

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

jvm.optionsjvm.options

[{"Product":{"code":"SSSQWC","label":"Tivoli Storage Manager Extended Edition"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"6.4;7.1;7.1.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 June 2018

UID

swg21693406

Page Feedback