IBM Support

Security Bulletin: Vulnerability in SSLv3 affects IBM Platform Symphony (CVE-2014-3566)

Created by Igets Administrator on
Published URL:
https://www.ibm.com/support/pages/node/679701
679701

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in Platform Symphony.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Platform Symphony v5.2, v6.1.x

Remediation/Fixes

None

Workarounds and Mitigations

IBM recommends that you review your entire environment to identify other areas that enable the SSLv3 protocol and take appropriate mitigation such as disabling SSLv3 and remediation actions.

Complete the steps below to use a RC4 cipher such as RC4-MD5 or RC4-SHA.

1. Open the ego.conf file on the management host using a text editor. The location of the file is defined in the EGO_CONFDIR environment variable.
2. Set the EGO_TRANSPORT_SECURITY parameter to SSL.
3. Set EGO_DEFAULT_TS_PARAMS.

For example:

(Linux/UNIX)

EGO_DEFAULT_TS_PARAMS="SSL[CERTIFICATE=/etc/symcert.pem,CIPHER=EDH-RSA-DES-CBC3-SHA,PRIVATE_KEY=/etc/symkey.pem]"

(Windows)

EGO_DEFAULT_TS_PARAMS="SSL[CERTIFICATE=C:\xxc\newcert.pem,CIPHER=EDH-RSA-DES-CBC3-SHA,PRIVATE_KEY=C:\xxc\newkey.pem]"

Note: In most cases, EGO_KyesD_TS_PARAMS and ESC_TS_PARAMS do not need to be defined as VEMKD and the Service Controller will use the SSL parameters in EGO_DEFAULT_TS_PARAMS by default.

4. Assign a SSL port number to the EGO_KD_TS_PORT parameter.
5. Open the ego.conf file on the client host using a text editor.
6. For EGO_CLIENT_TS_PARAMS, enable server authentication.

For example:

(Linux/UNIX)

EGO_CLIENT_TS_PARAMS="SSL[CAFILE=/home/.../cacert.pem, CIPHER=EDH-RSA-DES-CBC3-SHA,SERVER_AUTH={myCN}"

(Windows)

EGO_CLIENT_TS_PARAMS="SSL[CIPHER=EDH-RSA-DES-CBC3- SHA,CAFILE=C:\xxc\demoCA\cacert.pem,SERVER_AUTH={myCN}]"

7. Open the sd.xml file on the management host using an XML editor.
8. Set the SD_SDK_TRANSPORT parameter to TCPIPv4SSL (SSL driver on TCP/IPv.4).
9. Set the SD_SDK_TRANSPORT_ARG parameter to $EGO_DEFAULT_TS_PARAMS.
10. Set SSM_SDK_TRANSPORT parameter to TCPIPv4SSL (SSL driver on TCP/IPv.4).
11. Set SSM_SDK_TRANSPORT_ARG parameter to $EGO_DEFAULT_TS_PARAMS.
12. Set the SDK_TRANSPORT parameter to TCPIPv4SSL (SSL driver on TCP/IPv.4).
13. Set SDK_TRANSPORT_ARG to $EGO_CLIENT_TS_PARAMS.

14. For the Platform Symphony 6.1.1 security patch, to enable SSL connection between SSM and SIM, the format for SSM_SDK_TRANSPORT_ARG parameter is the same as EGO_DEFAULT_TS_PARAMS while the format for SDK_TRANSPORT_ARG parameter is the same as EGO_CLIENT_TS_PARAMS.

15. For the Platform Symphony 6.1.1 security patch, to configure application data integrity and privacy, set the value of client side environment variable SOAM_SET_CIPHER_SECURE_DDT to RC4-MD5 or RC4-SHA.

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

21, October, 2014 Original Version Published



*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSGSMK","label":"Platform Symphony"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2;5.2.0;6.1.0;6.1.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSZUMP","label":"IBM Spectrum Symphony"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
17 June 2018

UID

isg3T1021415