IBM Support

PI31516: Enable strict CBC padding checks on TLS connections (CVE-2014-8730)

Download


Abstract

Enable strict CBC padding checks on TLS connections (CVE-2014-8730)

Download Description

NOTE: For IBM HTTP Server 7.0 and later, this interim fix is superceded by the PI34229 interim fix. The PI34229 interim fix contains the fix for PI31516. You should install the PI34229 interim fix for those versions.

PI31516 resolves the following problem:

ERROR DESCRIPTION:
Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM HTTP Server.

LOCAL FIX:

PROBLEM SUMMARY:
IBM HTTP Server could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE like attack to decrypt sensitive information and calculate the plain text of secure connections.

PROBLEM CONCLUSION:
Strict CBC padding checks have been enabled for IHS on TLS connections.

NOTE: This interim fix also includes the updates for PI27904 which disables SSL v3 by default on IHS 7.0 and newer. If needed, you can re-enable the SSL v3 protocol by adding the following directive to your IHS configuration file:

SSLProtocolEnable SSLv3

The 'SSLProtocolEnable' directive was added into IHS 7.0 in this same update.

This fix is targeted for IBM HTTP Server fix packs:
- 7.0.0.37
- 8.0.0.11
- 8.5.5.5

Prerequisites

IMPORTANT NOTE: The interim fix for 6.1.0.47 requires the installed global GSKit be at a minimum level as provided by either of the following interim fixes, else IBM HTTP Server may not start after application of this interim fix: PI05309, PI09443, PI36417

UpdateInstaller is required for IHS 7.0 and 6.1 interim fixes.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http:\/\/www.ibm.com\/support\/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

For IHS 8.0 and 8.5.5, the interim fix can be installed using Installation Manager (IM) with the Web-based ("live") repository provided by IBM. It might be necessary to de-select the "Show recommended only" option within IM and to expand "Only fixes for version 8.x.y.z" to see the fix listed.

The interim fix is also available from Fix Central at the link listed in the Download Package section below.

Download Package

NOTE: For IBM HTTP Server 7.0 and later, this interim fix is superceded by the PI34229 interim fix. The PI34229 interim fix contains the fix for PI31516. You should install the PI34229 interim fix for those versions.

The 6.1 version of this interim fix is a cumulative interim fix. See the fix readme.txt for more information.

On
[{"DNLabel":"6.1.0.47 AixPPC32","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"1858131","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http:\/\/www-933.ibm.com\/eserver\/support\/fixes\/fixcentral\/swgquickorder?fixes=6.1.0.47-WS-WASIHS-AixPPC32-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 HpuxIA64","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"5316810","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http:\/\/www-933.ibm.com\/eserver\/support\/fixes\/fixcentral\/swgquickorder?fixes=6.1.0.47-WS-WASIHS-HpuxIA64-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 HpuxPaRISC","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"2033212","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http:\/\/www-933.ibm.com\/eserver\/support\/fixes\/fixcentral\/swgquickorder?fixes=6.1.0.47-WS-WASIHS-HpuxPaRISC-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 LinuxPPC32","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"1940712","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http:\/\/www-933.ibm.com\/eserver\/support\/fixes\/fixcentral\/swgquickorder?fixes=6.1.0.47-WS-WASIHS-LinuxPPC32-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 LinuxS390","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"1688095","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http:\/\/www-933.ibm.com\/eserver\/support\/fixes\/fixcentral\/swgquickorder?fixes=6.1.0.47-WS-WASIHS-LinuxS390-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 LinuxX32","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"1626339","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http:\/\/www-933.ibm.com\/eserver\/support\/fixes\/fixcentral\/swgquickorder?fixes=6.1.0.47-WS-WASIHS-LinuxX32-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 SolarisSparc","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"3831846","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http:\/\/www-933.ibm.com\/eserver\/support\/fixes\/fixcentral\/swgquickorder?fixes=6.1.0.47-WS-WASIHS-SolarisSparc-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 SolarisX64","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"1654727","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http:\/\/www-933.ibm.com\/eserver\/support\/fixes\/fixcentral\/swgquickorder?fixes=6.1.0.47-WS-WASIHS-SolarisX64-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0.47 WinX32","DNDate":"16 Jan 2015","DNLang":"US English","DNSize":"4600783","DNPlat":{"label":"Windows","code":"PF033"},"DNURL":"http:\/\/www-933.ibm.com\/eserver\/support\/fixes\/fixcentral\/swgquickorder?fixes=6.1.0.47-WS-WASIHS-WinX32-IFPI31516&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

Internal Use Only

This is what the download link section looked like before I removed all but the 6.1 iFixes.

8.5.5.2 - 8.5.5.3 Distributed platforms
8.5.5.4 Distributed platforms
8.0.0.9 Distributed platforms
7.0.0.33 - 7.0.0.35 AixPPC32
7.0.0.33 - 7.0.0.35 HpuxIA64
7.0.0.33 - 7.0.0.35 HpuxPaRISC
7.0.0.33 - 7.0.0.35 LinuxPPC32
7.0.0.33 - 7.0.0.35 LinuxS390
7.0.0.33 - 7.0.0.35 LinuxX32
7.0.0.33 - 7.0.0.35 SolarisSparc
7.0.0.33 - 7.0.0.35 SolarisX64
7.0.0.33 - 7.0.0.35 WinX32
6.1.0.47 AixPPC32
6.1.0.47 HpuxIA64
6.1.0.47 HpuxPaRISC
6.1.0.47 LinuxPPC32
6.1.0.47 LinuxS390
6.1.0.47 LinuxX32
6.1.0.47 SolarisSparc
6.1.0.47 SolarisX64
6.1.0.47 WinX32
8.0.0.10 Distributed platforms

http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.2-WS-WASIHS-MultiOS-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.4-WS-WASIHS-MultiOS-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.9-WS-WASIHS-MultiOS-IFPI31516&productid=WebSphere%20Application%20Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WASIHS-AixPPC32-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WASIHS-HpuxIA64-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WASIHS-HpuxPaRISC-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WASIHS-LinuxPPC32-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WASIHS-LinuxS390-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WASIHS-LinuxX32-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WASIHS-SolarisSparc-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WASIHS-SolarisX64-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WASIHS-WinX32-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-AixPPC32-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-HpuxIA64-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-HpuxPaRISC-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-LinuxPPC32-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-LinuxS390-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-LinuxX32-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-SolarisSparc-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-SolarisX64-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=6.1.0.47-WS-WASIHS-WinX32-IFPI31516&productid=WebSphere Application Server&brandid=5
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.10-WS-WASIHS-MultiOS-IFPI31516&productid=WebSphere%20Application%20Server&brandid=5






















AIX
AIX
AIX
AIX
HP-UX
HP-UX
Linux
Linux
Linux
Solaris
Solaris
Windows
AIX
HP-UX
HP-UX
Linux
Linux
Linux
Solaris
Solaris
Windows
AIX
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
16 Jan 2015
5 Mar 2015
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
US English
1643116
1703631
1623477
75285
195130
101860
74319
80644
67272
86735
83721
97338
1858131
5316810
2033212
1940712
1688095
1626339
3831846
1654727
4600783
1623696

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5.4;8.5.5.3;8.5.5.2;8.0.0.9;8.0.0.10;7.0.0.35;7.0.0.33;6.1.0.47","Edition":"Advanced;Base;Enterprise;Network Deployment;Single Server"}]

Document Information

Modified date:
15 June 2018

UID

swg24039197