Security Bulletin: Vulnerability in SSLv3 affects IBM Intelligent Operations Center and related products, and Integrated Information Core (CVE-2014-3566)

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM HTTP Server and IBM WebSphere Application Server, used by the IBM products listed below.

Vulnerability Details

CVE ID:****CVE-2014-3566

Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
Detailed description at us-cert.gov.

IBM HTTP Server and IBM WebSphere Application Server may both be vulnerable, because SSLv3 is enabled by default both in IBM HTTP Server and in IBM WebSphere Application Server.

CVSS:
CVSS Base Score: 4.3 (medium)
CVSS Impact Score: 2.9 (low)
CVSS Exploitability Score: 8.6 (high)
CVSS Temporal Score: Undefined; See also <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt;
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Affected Products and Versions

This vulnerability affects all versions and releases of the IBM HTTP Server component in all editions of WebSphere Application Server and bundling products; and all versions and releases of IBM WebSphere Application Server in:

Versions 1.5 and 1.6, all sub-versions, of

• IBM Intelligent Operations Center
• IBM Intelligent Operations for Water
• IBM Intelligent Operations for Transportation
• IBM Intelligent City Planning and Operations

and

• IBM Chemical and Petroleum Integrated Information Frameworks v1.4
• IBM Integrated Information Core v 1.5

Remediation/Fixes

None

Workarounds and Mitigations

Assumptions

IBM Intelligent Operations Center Product Family
These procedures assume some familiarity with Linux usage.

All the steps should be run as the root user unless otherwise noted.

For IBM Intelligent Operations Center product family systems the Administrator might want to temporarily enable remote root log on, which is disabled by cyber hygiene. See Re-enabling remote root log on in the Intelligent Operations Center product documentation.

IBM Chemical and Petroleum Integrated Information Frameworks v1.4 and IBM Integrated Information Core v 1.5.
These procedures assume some familiarity with Windows usage.

Reconfigure the IBM HTTP Server****
Follow instructions in IBM Security Bulletin: Vulnerability in SSLv3 affects IBM HTTP Server (CVE-2014-3566).

Instructions include adding a directive to a configuration file and then stopping and restarting IHS for the changes to take affect.

IBM Intelligent Operations Center Product Family
IBM HTTP Server is on the Web server (v.1.6) or on the Application server (v.1.5).

In v.1.5 IBM HTTP Server is on the Application server, although not listed as one of the components in Products and components included with the IBM Intelligent Operations Center v.1.5.

There is no need to restart all services in IBM Intelligent Operations Center, IBM Intelligent Operations for Water, IBM Intelligent Operations for Transportation, or IBM Intelligent City Planning and Operations.

IBM Chemical and Petroleum Integrated Information Frameworks v1.4 and IBM Integrated Information Core v 1.5.
Locate the IBM HTTP Server and follow the instructions referenced above.

Optionally reconfigure the IBM WebSphere Application Server

It should not be necessary to remove this vulnerability in IBM WebSphere Application Server as it is used in these applications, because the WebSphere Application Server port is not used to communicate outside of this machine cluster. All communications to the outside go through the HTTP server. One may nevertheless proceed out of an abundance of caution, if desired.

Follow instructions in IBM Security Bulletin: Vulnerability in SSLv3 affects WebSphere Application Server (CVE-2014-3566).

Instructions include, from the Administrator console, changing the SSL protocol, running a command-line task, modifying a properties file, applying and saving, and in some cases restarting nodes and node agents.

IBM Intelligent Operations Product Family

WebSphere Application Server runs in several versions on several servers. To determine which servers have instances of WebSphere Application Server, see in all cases documentation on IBM Intelligent Operations Center, which is the foundation on top of which IBM Intelligent Operations for Water, IBM Intelligent Operations for Transportation, and IBM Intelligent City Planning and Operations are run.

For v.1.5 versions of IBM Intelligent Operations Center, IBM Intelligent Operations for Water, or IBM Intelligent Operations for Transportation see Products and components included with the IBM Intelligent Operations Center v.1.5.

For v.1.6 versions of IBM Intelligent Operations Center, IBM Intelligent Operations for Water, IBM Intelligent Operations for Transportation, or IBM Intelligent City Planning and Operations Transportation see Products and components included with the IBM Intelligent Operations Center v.1.6 in a standard or high-availability topology.

There is no need to restart all services in IBM Intelligent Operations Center, IBM Intelligent Operations for Water, IBM Intelligent Operations for Transportation, or IBM Intelligent City Planning and Operations.

IBM Chemical and Petroleum Integrated Information Frameworks v1.4 and IBM Integrated Information Core v 1.5.

Locate the IBM WebSphere Application Servers and follow the instructions referenced above.