Security Bulletin: Vulnerability in SSLv3 affects Warehouse Administration Console and Cubing Services components of IBM InfoSphere Warehouse and IBM DB2 for Linux, Unix and Windows (CVE-2014-3566)

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. IBM InfoSphere Warehouse and IBM DB2 for Linux, Unix and Windows do not directly enable SSLv3. However, WAS (WebSphere Application Server) is bundled with IBM InfoSphere Warehouse and IBM DB2 for Linux, Unix and Windows. WAS is used for hosting Warehouse Administration Console. SSLv3 could be enabled in WAS and IBM HTTP Server, which comes with WebSphere Application Server. Additionally, although IBM InfoSphere Warehouse Cubing Services also does not use SSLv3 directly, it is possible for a customer to have independently configured SSL for Jetty (a Java-based web server shipped with Cubing Services). If SSL is configured for Jetty, customers are urged to disable SSLv3 in the Jetty configuration file.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections. Although IBM InfoSphere Warehouse and IBM DB2 for Linux, Unix and Windows****do not implement SSLv3 feature directly, they are both packaged with WebSphere Application Server and Jetty, which come with SSLv3 capabilities. Customers are urged to disable SSLv3 in these products as current mitigation. If any fixes become available, the bulletin will be updated accordingly.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Product Version

| Affected Components| Note
—|—|—
InfoSphere Warehouse v9.5 (All Editions)
-Starter Edition (Linux and Windows only)
-Intermediate Edition (Linux and Windows only)
-Advanced Edition (Linux Only)
-Base Edition
-Enterprise Edition
-Developer Edition| - WebSphere Application Server v6.1.0.9
- Jetty (Web Server included in the InfoSphere Warehouse Cubing Services)| WebSphere Application Server package contains IBM HTTP Server
InfoSphere Warehouse v9.7 (All Editions)
-Advanced Enterprise Edition
-Enterprise Edition
-Enterprise Base Edition
-Advanced Departmental Edition
-Departmental Edition
-Departmental Base Edition
-Developer Edition| - WebSphere Application Server v6.x v7.x
- Jetty (Web Server included in the InfoSphere Warehouse Cubing Services)| WebSphere Application Server package contains IBM HTTP Server
InfoSphere Warehouse v10.1 (All Editions)
-Advanced Enterprise Edition
-Enterprise Edition
-Enterprise Base Edition
-Advanced Departmental Edition
-Departmental Edition
-Departmental Base Edition
-Developer Edition| - WebSphere Application Server v8.x
- WebSphere Application Server Liberty Profile v8.5.x
- Jetty (Web Server included in the InfoSphere Warehouse Cubing Services)| WebSphere Application Server package contains IBM HTTP Server
DB2 for Linux, Unix and Windows v10.5
-Advanced Workgroup Server Edition
-Advanced Enterprise Server Edition
-Developer Edition| - WebSphere Application Server v8.x
- WebSphere Application Server Liberty Profile v8.5.x
- Jetty (Web Server included in the InfoSphere Warehouse Cubing Services)| WebSphere Application Server package contains IBM HTTP Server

Remediation/Fixes

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3.

Workarounds and Mitigations

Please refer to the Security Bulletin for IBM HTTP Server to remediate your webserver.
Please refer to the Security Bulletin for IBM WebSphere Application Server to remediate your WebSphere Application Server.
IBM InfoSphere Warehouse and IBM DB2 for Linux, Unix and Windows do not use SSLv3 directly, hence mitigation is done through corresponding WebSphere Application Server.

For customers who use InfoSphere Warehouse Cubing Services:
InfoSphere Warehouse Cubing Services does not use SSLv3 directly. However, if SSL is configured for Jetty for use by the XMLA provider, mitigation is needed to disable SSLv3 in all Jetty configuration files in all instances of InfoSphere Warehouse Cubing Services.

The Cubing Services installation comes with a jetty.xml file that is located in the /CubingServices/jetty/jetty.xml directory. By default some elements, such as SSL configuration, are commented out in this basic configuration file. Be aware that there may be multiple copies of jetty.xml that appear as as <cubeServerName>.jetty.xml files. Any jetty.xml or <cubeServerName>.jetty.xml file that has been updated to activate SSL need to be updated to disable SSLv3 by completing the following steps:

1. Stop all cube servers.
2. For each affected jetty.xml or <cubeServerName>.jetty.xml file, open the file and locate the following line: <Set name=“Protocol”>SSLv3</Set>
3. Change the line to <Set name=“Protocol”>TLSv1</Set>
4. Save the jetty xml file
5. Start the cube servers

The IBM SDK, Java Technology Edition has also been updated to disable SSLv3. Regardless of whether SSL is configured for Jetty, it is recommended to remediate your IBM SDK installation used by InfoSphere Warehouse Cubing Services.

Please refer to the Security Bulletin for IBM SDK, Java Technology Editionand POODLE Technote for IBM SDK, Java Technology Edition to remediate your IBM SDKinstallations.

IBM customers requiring an update for a Jetty configuration file or for an IBM SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.