Security Bulletin: Vulnerability in SSLv3 affects IBM UrbanCode Deploy (CVE-2014-3566)

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM UrbanCode Deploy.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE-ID: CVE-2014-3566

Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

**CVSS Base Score:**4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt; for the current score *CVSS Environmental Score:**Undefined **CVSS Vector: **(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM UrbanCode Deploy 6.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4, 6.0.1.5, 6.0.1.6, 6.1, 6.1.0.1, 6.1.0.2, and 6.1.0.3 on all supported platforms.

Remediation/Fixes

Upgrade to one of the following releases as SSLv3 is automatically disabled:

• IBM UrbanCode Deploy Fix Pack 4 (6.1.0.4) for 6.1
• IBM UrbanCode Deploy Fix Pack 7 (6.0.1.7) for 6.0.1

Note: Old agents may not be able to connect to IBM UrbanCode Deploy without SSLv3 enabled; therefore, UrbanCode Deploy will dynamically enable SSLv3 if there are any undeleted agents with version 6.0.1.0.491104 or lower. If this scenario is detected, a warning message will be output during server startup.
You may disable SSLv3 in one of the following ways:

• Upgrade all old agents to the latest version.

• Put the following property in the server’s conf/server/installed.properties file (Please note that doing this may cause some agents to no longer be able to connect to the server):

com.urbancode.ds.UDeployServer.forceNoSSLv3=true

• Agent relays must also be upgraded. Upgraded agent relays will enable SSLv3 during startup if it detects SSLv3 on the target UrbanCode Deploy server. In the case that the target server is not reachable at the time the relay is started, the relay will default to _disabling _SSLv3. The following properties may be placed in conf/agentrelay.properties to alter this behavior:

• To force SSLv3 to never be enabled on the relay, regardless of the protocols available on the server:

`com.urbancode.air.agentrelay.AgentRelay.forceNoSSLv3=true

`

• To configure the relay to enable SSLv3 if the target server cannot be reached during startup:

com.urbancode.air.agentrelay.AgentRelay.failOpenSSLv3=true

Workarounds and Mitigations

Note: This mitigation is intended for the servers in “Affected Products and Versions” only. It should not be applied on later releases. Additionally, IBM UrbanCode Deploy Agents with version 6.0.1.0.491104 and earlier may be unable to connect after applying this changes. It is highly recommended to address this issue by upgrading the IBM UrbanCode Deploy server to 6.1.0.4 or 6.0.1.7, and then upgrade all agents.

Mitigating POODLE attacks on agent communication (by default, communication on port 7918):

1. Open the file <server_install_dir>/conf/server/activemq.xml in a text editor

2. At the bottom of the file, find the element called <transportConnector /> nested within the element named <transportConnectors />.

3. Edit this element’s uri attribute.

Follow the following instructions exactly, do not add any extra characters or whitespace.

1. If the uri attribute looks like this:   

uri="ah3://${server.host}:${server.jms.port}?transport.enabledProtocols=SSL,SSLv3,TLS,TLSv1,TLSv1.1,TLSv1.2,SSL_TLSv2&transport.enabledCipherSuites=${server.ssl.enabledCiphers}"

Alter the attribute to reflect the changes in bold:

uri="ah3://${server.host}:${server.jms.port}?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.enabledCipherSuites=${server.ssl.enabledCiphers}"

2. If the uri attribute looks like this:  

uri="ah3://${server.host}:${server.jms.port}"

Alter the attribute to reflect the changes in bold:

uri="ah3://${server.host}:${server.jms.port}?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"

Mitigating POODLE attacks on HTTP communication (by default, communication on port 8443)

1. Open the file <server_install_dir>/opt/tomcat/conf/server.xml in a text editor

2. Find the XML element that begins with `<Connector port=“${install.server.web.https.port}”

`
3. Update the following attributes within this XML element.

Do not add any extra characters or whitespace. If the attribute does not exist, then create it.

1. For UrbanCode Deploy versions 6.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4, 6.0.1.5, 6.1.0.0, and 6.1.0.1:  

sslProtocol="TLS" protocols="TLSv1,TLSv1.1,TLSv1.2"

2. For UrbanCode Deploy version 6.0.1.6, 6.1.0.2, and 6.1.0.3:  

sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

Mitigating POODLE attacks on JMS communication on agent relays (by default, communication on port 7916):

1. On the agent relay, open the file <agentrelay_install_dir>/conf/jms-relay/activemq.xml in a text editor

2. At the bottom of the file, find the element called <transportConnector />, nested within the element named `<transportConnectors />

`
3. Edit this elements “uri” attribute.

Follow the instructions exactly, do not add any extra characters or whitespace.

1. If the uri attribute looks like this:

`uri=“ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}”

`Append the following text (in bold) to the attribute:

uri="ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}``**?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2**``"
2. If the uri attribute looks like this:

`uri=“ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}?transport.enabledProtocols=SSL,SSLv3,TLS,TLSv1,TLSv1.1,TLSv1.2,SSL_TLSv2”

`Alter the text to reflect the change in bold:

uri="ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}?transport.enabledProtocols=``**TLSv1,TLSv1.1,TLSv1.2**``"

Get Notified about Future Security Bulletins

Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html&gt;) to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Subscribe to Security Bulletins

Acknowledgement

None

Change History

• 04 November 2014: Updated with details on the 6.0.1.7 and 6.1.0.4 fixpacks
• 21 October 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES ““AS IS”” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. “Affected Products and Versions” referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Internal Use Only

PSIRT # 2290 Record # 45076

Attachments

All source code and/or binaries attached to this document are referred to here as “the Program”. IBM is not providing program services of any kind for the Program. IBM is providing the Program on an “AS IS” basis without warranty of any kind. IBM WILL NOT BE LIABLE FOR ANY ACTUAL, DIRECT, SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), EVEN IF IBM, OR ITS RESELLER, HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

activemq-example.xml	server-example.xml

[{“Product”:{“code”:“SS4GSP”,“label”:“IBM UrbanCode Deploy”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Component”:“Security”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“6.0;6.0.1;6.0.1.1;6.0.1.2;6.0.1.3;6.0.1.4;6.0.1.5;6.0.1.6;6.1;6.1.0.1;6.1.0.2;6.1.0.3”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]