IBM Support

Security Bulletin: Vulnerability in SSLv3 affects IBM SAN b-type switches and directors (CVE-2014-3566)

Created by Igets Administrator on
Published URL:
https://www.ibm.com/support/pages/node/690103
690103

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM SAN b-type switches and directors.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM SAN b-type switches and directors running FOS.

IBM MTM:

2499-816IBM System Storage SAN768B-2
2499-416IBM System Storage SAN384B-2
2499-384IBM System Storage SAN768B
2499-192IBM System Storage SAN384B
2498-R06IBM System Storage SAN06B-R
2498-N96IBM System Networking SAN96B-5
2498-F96IBM System Networking SAN96B-5
2498-F48IBM System Storage SAN48B-5
2498-F24IBM System Networking SAN24B-5
2498-E32IBM Encryption Switch
2498-B80IBM System Storage SAN80B-4
2498-B40IBM System Storage SAN40B-4
2498-B24IBM System Storage SAN24B-4
2109-M48IBM TotalStorage SAN256B Director Model M48
2005-R04IBM System Storage SAN04B-R

Remediation/Fixes

None

Workarounds and Mitigations

End users should configure their web browsers or Brocade Network Advisor to disable SSLv3 support when accessing Brocade SAN switch. In addition, place your Brocade SAN switch and other data center critical infrastructure behind a firewall to disallow access from the Internet to minimize potential exposure to the attacks documented in this advisory.

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.

Important note: IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Subscribe to Security Bulletins

Acknowledgement

None

Change History

24 October 2104 - Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"STMSAD","label":"Storage area network (SAN)->SAN768B-2 Fabric Backbone (2499-816)"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"Enterprise","Line of Business":{"code":"","label":""}},{"Product":{"code":"STNNL8","label":"IBM Storage Networking SAN24B-5"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STUQVR","label":"IBM Storage Networking SAN32B-E4"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STMSBR","label":"Storage area network (SAN)->SAN384B-2 Fabric Backbone (2499-416)"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"STMN38","label":"Storage area network (SAN)->SAN42B-R (2498-R42)"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"STMSCJ","label":"Storage area network (SAN)->SAN48B-5 Switch (2498-F48)"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"STNNAB","label":"Storage area network (SAN)->SAN96B-5 Switch (2498-F96, N96)"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
27 February 2023

UID

ssg1S1004967

Page Feedback