3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM uBuild.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVE-ID: CVE-2014-3566
Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
**CVSS Base Score:**4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013> for the current score *CVSS Environmental Score:**Undefined **CVSS Vector: **(AV:N/AC:M/Au:N/C:P/I:N/A:N)
IBM uBuild 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, and 5.0.1.3 on all supported platforms.
Upgrade to IBM uBuild Fix Pack 4 (5.0.1.4) for 5.0.1 as SSLv3 is automatically disabled:
Note: Old agents may not be able to connect to IBM uBuild when SSLv3 has not been disabled on the agent. To disable SSLv3, upgrade all old agents to the latest version. There are also known issues with older plugins that connect back to the server to upload source changes, issues, reports, etc. when using the IBM JDK/JRE. To avoid any potential issues, upgrade all plugins in your server to the latest version available on our plugins page.
Note: This mitigation is intended for the servers in “Affected Products and Versions” only. It should not be applied on later releases. Additionally, IBM uBuild Agents with a version earlier than 5.0.0-584477 may be unable to connect after applying this change. It is highly recommended to address this issue by upgrading the IBM uBuild server to 5.0.1.4 and then upgrading all agents.
Mitigating POODLE attacks on HTTP communication (by default, communication on port 8443)
Open the file <server_install_dir>/opt/tomcat/conf/server.xml
in a text editor
Find the XML element that begins with `<Connector port=“${install.server.web.https.port}”
`
3. Update the following attributes within this XML element.
Do not add any extra characters or whitespace. If the attribute does not exist, then create it.
sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
CPE | Name | Operator | Version |
---|---|---|---|
ibm ubuild | eq | 5.0 | |
ibm ubuild | eq | 5.0.1 | |
ibm ubuild | eq | 5.0.1.1 | |
ibm ubuild | eq | 5.0.1.2 | |
ibm ubuild | eq | 5.0.1.3 |
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N