Security Bulletin: Vulnerability in SSLv3 affects IBM uBuild (CVE-2014-3566)

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM uBuild.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE-ID: CVE-2014-3566

Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

**CVSS Base Score:**4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt; for the current score *CVSS Environmental Score:**Undefined **CVSS Vector: **(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM uBuild 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, and 5.0.1.3 on all supported platforms.

Remediation/Fixes

Upgrade to IBM uBuild Fix Pack 4 (5.0.1.4) for 5.0.1 as SSLv3 is automatically disabled:

Note: Old agents may not be able to connect to IBM uBuild when SSLv3 has not been disabled on the agent. To disable SSLv3, upgrade all old agents to the latest version. There are also known issues with older plugins that connect back to the server to upload source changes, issues, reports, etc. when using the IBM JDK/JRE. To avoid any potential issues, upgrade all plugins in your server to the latest version available on our plugins page.

Workarounds and Mitigations

Note: This mitigation is intended for the servers in “Affected Products and Versions” only. It should not be applied on later releases. Additionally, IBM uBuild Agents with a version earlier than 5.0.0-584477 may be unable to connect after applying this change. It is highly recommended to address this issue by upgrading the IBM uBuild server to 5.0.1.4 and then upgrading all agents.

Mitigating POODLE attacks on HTTP communication (by default, communication on port 8443)

1. Open the file <server_install_dir>/opt/tomcat/conf/server.xml in a text editor

2. Find the XML element that begins with `<Connector port=“${install.server.web.https.port}”

`
3. Update the following attributes within this XML element.

Do not add any extra characters or whitespace. If the attribute does not exist, then create it.

sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"