3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. This bulletin addresses the POODLE issue which affected the IMM1 as well as another issue in OpenSSL disclosed in October 2014.
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. This bulletin addresses the POODLE issue which affected the IMM1 as well as another issue in OpenSSL disclosed in October 2014.
Vulnerability Details:
CVE-ID: CVE-2014-3566
Description: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/97013> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-3568
Description: OpenSSL could allow a remote attacker bypass security restrictions. When configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/97037> for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)
The following IMM code levels exhibit this issue:
The following platforms are be affected:
It’s recommended to update IMM to 1.47 YUOOG7C or later. Firmware updates are available through IBM Fix Central.
In addition to updating to the recommended firmware version, the following configuration change is required using one of the two options described below:
Through the IMM web interface, on the IMM Security page, select “High Security Mode” in the “Cryptography Management” section.
-OR-
Use the following ASU command: asu set imm.ssl_cipher “high security mode”
After configuration change, restart the IMM for the configuration to take effect.
It’s suggested to disable the SSL 3.0 in the web browser side.
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N