3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSL_TLS is enabled by default in Build Forge in some pages.
CVE ID: CVE-2014-3566** **
**Description:**IBM WebSphere Application could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
IBM Rational Build Forge versions 7.1.1, 7.1.2, 7.1.3 and 8.0
You can change the configuration file by the following steps to disable the SSLv3.
**Note:**bfinstall is used below to represent the installation directory you have chosen to place Build Forge.
Procedure:
Open Build Forge console in browser
Go to Administration > Security-SSL
Change all the SSL_TLS/SSLv3/SSL to TLSv1 and save
Backup the bfclient.conf
file
By default the bfclient.conf
is under \bfinstall on Windows
By default the bfclient.conf
is under /bfinstall/<platform> on Linux and UNIX
Go to Administration > Security
Click **Update Master BFClient.conf
Note: ** The bfclient.conf is used for Communication between Build Forge Service Layer and UI&Engine. It is also used by Build Forge API when you use the secure connection to Build Forge.
Stop Build Forge
Change the Apache ssl.conf
config file
ssl.conf
is under *\bfinstall\Apache\Conf\ssl* on Windowsssl.conf
is under /bfinstall/server/apache/conf/ssl/ on Linux and UNIXUpdate the following line for you version of Build Forge
SSLProtocol -ALL +SSLv3 +TLSv1
To: `SSLProtocol -ALL +TLSv1`
For Build Forge 8.0.0.x:
From: SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
To: SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
Change the Tomcat server.conf
config
server.conf
is under *\bfinstall\Apache\tomcat\conf* on Windowsserver.conf
is under /bfinstall/server/tomcat/conf/ on Linux and UNIXFind the sslProtocol="SSL_TLS"
line and change the SSL_TLS
to TLS and save
Note: If Build Forge is installed with WebSphere Application Server, this step is not required
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N