SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM InfoSphere Balanced Warehouse C3000, C4000, IBM Smart Analytics System 1050, 2050 and 5710.
CVE-ID: CVE-2014-3566
DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
IBM InfoSphere Balanced Warehouse C3000
IBM InfoSphere Balanced Warehouse C4000
IBM Smart Analytics System 1050
IBM Smart Analytics System 2050
IBM Smart Analytics System 5710
For each affected component in the table, download the recommended fix, and install using the link in the Installation Instructions column.
For more information about IBM IDs, see the Help and FAQ.
| IBM InfoSphere Balanced Warehouse C3000 and C4000 for Linux |
| Affected Component | Recommended Fix | Download Link | Installation Instructions |
| SUSE Linux Enterprise Server 10 | Update OpenSSL to 0.9.8a-18.86.3 | Novell: Patch 8982 | Installing a SUSE Linux Enterprise Server update in a Balanced Warehouse or IBM Smart Analytics System or Balanced Warehouse environment |
| IBM WebSphere Application Server 7 | Install Interim Fix PI28439 | IBM Fix Central: Interim Fix PI28439 | Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566) |
| Cognos Business Intelligence 8.4.1 | Install Interim Fix 8 | IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8 | Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability |
| IBM InfoSphere Balanced Warehouse C3000 and C4000 for Windows |
| Affected Component | Recommended Fix | Download Link | Installation Instructions |
| IBM WebSphere Application Server 7 | Install Interim Fix PI28439 | IBM Fix Central: Interim Fix PI28439 | Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566) |
| Cognos Business Intelligence 8.4.1 | Install Interim Fix 8 | IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8 | Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability |
| IBM Smart Analytics System 1050 for Linux |
| Affected Component | Recommended Fix | Download Link | Installation Instructions |
| IBM System x3500 M3 | Update IMM to 1.47 | IBM Fix Central: IMM 1.47 | Updating the IBM System x IMM, UEFI, or DSA - Preboot Embedded in an IBM InfoSphere Balanced Warehouse or IBM Smart Analytics System environment |
| SUSE Linux Enterprise Server 11 | Update OpenSSL to 0.9.8j-0.66.1
Update suseRegister to 1.4-1.35.1
Update evolution-data-server to 2.28.2-0.32.1
Update IBM Java to 1.6.0_sr16.2-0.3.1 | Novell: Patch 9915
Novell: Patch 10008
Novell: Patch 9969
Novell: Patch 9992 | Installing a SUSE Linux Enterprise Server update in a Balanced Warehouse or IBM Smart Analytics System or Balanced Warehouse environment |
| IBM WebSphere Application Server 7 | Install Interim Fix PI28439 | IBM Fix Central: Interim Fix PI28439 | Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566) |
| Cognos Business Intelligence 8.4.1 | Install Interim Fix 8 | IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8 | Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability |
| IBM Smart Analytics System 1050 for Windows |
| Affected Component | Recommended Fix | Download Link | Installation Instructions |
| IBM System x3500 M3 | Update IMM to 1.47 | IBM Fix Central: IMM 1.47 | Updating the IBM System x IMM, UEFI, or DSA - Preboot Embedded in an IBM InfoSphere Balanced Warehouse or IBM Smart Analytics System environment |
| IBM WebSphere Application Server 7 | Install Interim Fix PI28439 | IBM Fix Central: Interim Fix PI28439 | Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566) |
| Cognos Business Intelligence 8.4.1 | Install Interim Fix 8 | IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8 | Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability |
| IBM Smart Analytics System 2050 for Linux |
| Affected Component | Recommended Fix | Download Link | Installation Instructions |
| IBM System x3850 X5 | Update IMM to 1.47 | IBM Fix Central: IMM 1.47 | Updating the IBM System x IMM, UEFI, or DSA - Preboot Embedded in an IBM InfoSphere Balanced Warehouse or IBM Smart Analytics System environment |
| SUSE Linux Enterprise Server 11 | Update OpenSSL to 0.9.8j-0.66.1
Update suseRegister to 1.4-1.35.1
Update evolution-data-server to 2.28.2-0.32.1
Update IBM Java to 1.6.0_sr16.2-0.3.1 | Novell: Patch 9915
Novell: Patch 10008
Novell: Patch 9969
Novell: Patch 9992 | Installing a SUSE Linux Enterprise Server update in a Balanced Warehouse or IBM Smart Analytics System or Balanced Warehouse environment |
| IBM WebSphere Application Server 7 | Install Interim Fix PI28439 | IBM Fix Central: Interim Fix PI28439 | Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566) |
| Cognos Business Intelligence 8.4.1 | Install Interim Fix 8 | IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8 | Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability |
| IBM Smart Analytics System 2050 for Windows |
| Affected Component | Recommended Fix | Download Link | Installation Instructions |
| IBM System x3850 X5 | Update IMM to 1.47 | IBM Fix Central: IMM 1.47 | Updating the IBM System x IMM, UEFI, or DSA - Preboot Embedded in an IBM InfoSphere Balanced Warehouse or IBM Smart Analytics System environment |
| IBM WebSphere Application Server 7 | Install Interim Fix PI28439 | IBM Fix Central: Interim Fix PI28439 | Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566) |
| Cognos Business Intelligence 8.4.1 | Install Interim Fix 8 | IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8 | Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability |
| IBM Smart Analytics System 5710 |
| Affected Component | Recommended Fix | Download Link | Installation Instructions |
| IBM System x3630 M3 | Update IMM to 1.47 | IBM Fix Central: IMM 1.47 | Updating the IBM System x IMM, UEFI, or DSA - Preboot Embedded in an IBM InfoSphere Balanced Warehouse or IBM Smart Analytics System environment |
| SUSE Linux Enterprise Server 11 | Update OpenSSL to 0.9.8j-0.66.1
Update suseRegister to 1.4-1.35.1
Update evolution-data-server to 2.28.2-0.32.1
Update IBM Java to 1.6.0_sr16.2-0.3.1 | Novell: Patch 9915
Novell: Patch 10008
Novell: Patch 9969
Novell: Patch 9992 | Installing a SUSE Linux Enterprise Server update in a Balanced Warehouse or IBM Smart Analytics System or Balanced Warehouse environment |
| IBM WebSphere Application Server 7 | Install Interim Fix PI28439 | IBM Fix Central: Interim Fix PI28439 | Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566) |
| Cognos Business Intelligence 10.1 | Install Interim Fix 10 | IBM Fix Central: Cognos Business Intelligence 10.1 Interim Fix 10 | Cognos Business Intelligence 10.1.x interim fixes address a security vulnerability |
For assistance, contact IBM Support:
IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.
References
Off
January 9, 2015: Original version published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
[{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 5710","Platform":[{"code":"PF016","label":"Linux"}],"Version":"9.7","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 1050","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"9.7","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 2050","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"9.7","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSFVXC","label":"InfoSphere Balanced Warehouse"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Balanced Warehouse C Class - C3000","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"9.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSFVXC","label":"InfoSphere Balanced Warehouse"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Balanced Warehouse C Class - C4000","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"9.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]