Lucene search

K
ibmIBM774447A42E7584CA310C1D881A1B9F22575B31868A10B3206AEFDCC52F166509
HistoryJun 17, 2018 - 10:31 p.m.

Security Bulletin: Vulnerability in SSLv3 affects IBM UrbanCode Release (CVE-2014-3566)

2018-06-1722:31:55
www.ibm.com
19

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM UrbanCode Release.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

  • Follow this link for more information (requires login with your IBM ID)
    —|—

CVE-ID: CVE-2014-3566

Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

**CVSS Base Score:**4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt; for the current score *CVSS Environmental Score:**Undefined **CVSS Vector: **(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM UrbanCode Release 6.0, 6.0.0.1, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4, 6.1, 6.1.0.1, 6.1.0.2, 6.1.0.3, and 6.1.0.4 on all supported platforms.

Remediation/Fixes

None

Workarounds and Mitigations

Mitigating POODLE attacks as follows:

  1. Open &lt;tomcat_dir&gt;/conf/server.xml in a text editor.
    By default, &lt;tomcat_dir&gt; is located at:
  • (Linux): /opt/IBM/UCRelease/server/tomcat
  • (Windows): `C:\Program Files\IBM\UCRelease\server\tomcat

`

  • Find an XML element named &lt;Connector&gt; with the attribute SSLEnabled="true".

  • Within this element, find the attribute:`

sslProtocol=${urbancode.connector.sslProtocol}`.

Replace with the attribute:

sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2".

  • Apply these changes by restarting the server.

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

Related for 774447A42E7584CA310C1D881A1B9F22575B31868A10B3206AEFDCC52F166509