Security Bulletin: Vulnerability in SSLv3 affects IBM InfoSphere Balanced Warehouse C3000, C4000, IBM Smart Analytics System 1050, 2050 and 5710 (CVE-2014-3566)

2018-06-1613:58:30

www.ibm.com

EPSS

0.975

Percentile

100.0%

JSON

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM InfoSphere Balanced Warehouse C3000, C4000, IBM Smart Analytics System 1050, 2050 and 5710.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM InfoSphere Balanced Warehouse C3000
IBM InfoSphere Balanced Warehouse C4000
IBM Smart Analytics System 1050
IBM Smart Analytics System 2050
IBM Smart Analytics System 5710

Remediation/Fixes

For each affected component in the table, download the recommended fix, and install using the link in the Installation Instructions column.

For more information about IBM IDs, see the Help and FAQ.

IBM InfoSphere Balanced Warehouse C3000 and C4000 for Linux

Affected Component|Recommended Fix|Download Link|Installation Instructions
SUSE Linux Enterprise Server 10| Update OpenSSL to 0.9.8a-18.86.3| Novell: Patch 8982| Installing a SUSE Linux Enterprise Server update in a Balanced Warehouse or IBM Smart Analytics System or Balanced Warehouse environment
IBM WebSphere Application Server 7| Install Interim Fix PI28439| IBM Fix Central: Interim Fix PI28439| Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)
Cognos Business Intelligence 8.4.1| Install Interim Fix 8| IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8| Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability
IBM InfoSphere Balanced Warehouse C3000 and C4000 for Windows Affected Component|Recommended Fix|Download Link|Installation Instructions
IBM WebSphere Application Server 7| Install Interim Fix PI28439| IBM Fix Central: Interim Fix PI28439| Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)
Cognos Business Intelligence 8.4.1| Install Interim Fix 8| IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8| Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability
IBM Smart Analytics System 1050 for Linux Affected Component|Recommended Fix|Download Link|Installation Instructions
IBM System x3500 M3| Update IMM to 1.47| IBM Fix Central: IMM 1.47| Updating the IBM System x IMM, UEFI, or DSA - Preboot Embedded in an IBM InfoSphere Balanced Warehouse or IBM Smart Analytics System environment
SUSE Linux Enterprise Server 11| Update OpenSSL to 0.9.8j-0.66.1

Update suseRegister to 1.4-1.35.1

Update evolution-data-server to 2.28.2-0.32.1

Update IBM Java to 1.6.0_sr16.2-0.3.1| Novell: Patch 9915

Novell: Patch 10008

Novell: Patch 9969

Novell: Patch 9992| Installing a SUSE Linux Enterprise Server update in a Balanced Warehouse or IBM Smart Analytics System or Balanced Warehouse environment
IBM WebSphere Application Server 7| Install Interim Fix PI28439| IBM Fix Central: Interim Fix PI28439| Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)
Cognos Business Intelligence 8.4.1| Install Interim Fix 8| IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8| Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability
IBM Smart Analytics System 1050 for Windows Affected Component|Recommended Fix|Download Link|Installation Instructions
IBM System x3500 M3| Update IMM to 1.47| IBM Fix Central: IMM 1.47| Updating the IBM System x IMM, UEFI, or DSA - Preboot Embedded in an IBM InfoSphere Balanced Warehouse or IBM Smart Analytics System environment
IBM WebSphere Application Server 7| Install Interim Fix PI28439| IBM Fix Central: Interim Fix PI28439| Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)
Cognos Business Intelligence 8.4.1| Install Interim Fix 8| IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8| Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability
IBM Smart Analytics System 2050 for Linux Affected Component|Recommended Fix|Download Link|Installation Instructions
IBM System x3850 X5| Update IMM to 1.47| IBM Fix Central: IMM 1.47| Updating the IBM System x IMM, UEFI, or DSA - Preboot Embedded in an IBM InfoSphere Balanced Warehouse or IBM Smart Analytics System environment
SUSE Linux Enterprise Server 11| Update OpenSSL to 0.9.8j-0.66.1

Update suseRegister to 1.4-1.35.1

Update evolution-data-server to 2.28.2-0.32.1

Update IBM Java to 1.6.0_sr16.2-0.3.1| Novell: Patch 9915

Novell: Patch 10008

Novell: Patch 9969

Novell: Patch 9992| Installing a SUSE Linux Enterprise Server update in a Balanced Warehouse or IBM Smart Analytics System or Balanced Warehouse environment
IBM WebSphere Application Server 7| Install Interim Fix PI28439| IBM Fix Central: Interim Fix PI28439| Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)
Cognos Business Intelligence 8.4.1| Install Interim Fix 8| IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8| Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability
IBM Smart Analytics System 2050 for Windows Affected Component|Recommended Fix|Download Link|Installation Instructions
IBM System x3850 X5| Update IMM to 1.47| IBM Fix Central: IMM 1.47| Updating the IBM System x IMM, UEFI, or DSA - Preboot Embedded in an IBM InfoSphere Balanced Warehouse or IBM Smart Analytics System environment
IBM WebSphere Application Server 7| Install Interim Fix PI28439| IBM Fix Central: Interim Fix PI28439| Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)
Cognos Business Intelligence 8.4.1| Install Interim Fix 8| IBM Fix Central: Cognos Business Intelligence 8.4.1 Interim Fix 8| Cognos Business Intelligence 8.4.1 Interim Fix 8 addresses a security vulnerability
IBM Smart Analytics System 5710 Affected Component|Recommended Fix|Download Link|Installation Instructions
IBM System x3630 M3| Update IMM to 1.47| IBM Fix Central: IMM 1.47| Updating the IBM System x IMM, UEFI, or DSA - Preboot Embedded in an IBM InfoSphere Balanced Warehouse or IBM Smart Analytics System environment
SUSE Linux Enterprise Server 11| Update OpenSSL to 0.9.8j-0.66.1

Update suseRegister to 1.4-1.35.1

Update evolution-data-server to 2.28.2-0.32.1

Update IBM Java to 1.6.0_sr16.2-0.3.1| Novell: Patch 9915

Novell: Patch 10008

Novell: Patch 9969

For assistance, contact IBM Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with IBM Support.

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.