Security Bulletin: Vulnerability in SSLv3 affects IBM Installation Manager (CVE-2014-3566)

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM Installation Manager.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE-ID: CVE-2014-3566

Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt;_ for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

All versions of IBM Installation Manager.

Remediation/Fixes

None

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3.

Workarounds and Mitigations

While it is not possible to disable SSLv3 in the IBM Installation Manager, you can use one of the options below to ensure it does not use the SSLv3 protocol.

Option #1: Use local paths to access repositories instead of HTTP servers

The IBM Installation Manager connects to package repositories to download product artifacts and instructions for installing it. Rather than using an HTTP server to host these repositories, you can access the repository using a local path.

A common way to do this is to host a repository on a network share that is accessible by any machine in your environment using a UNC path. You can use domain credentials to restrict access to respective repositories as needed.

Option #2: Upgrade to IBM Installation Manager 1.8.0 or newer and adopt the TLS protocol in your HTTP server

IBM Installation Manager 1.8.0 or newer can communicate with servers that use the TLS protocol. It is recommended that you upgrade all installations of Installation Manager to version 1.8.0 or later and convert all HTTP servers hosting package repositories to use the TLS protocol and disable SSLv3.

The “IBM Installation Manager Downloads” link in the references section of this document will take you to a page where you can find any version of Installation Manager that has been released. Click on the “Download Document” link to access the download document for the version of the IBM Installation Manager that you’d like to download. Before downloading and installing, we also recommend that you review the supported platforms by clicking the “Detailed System Requirements” link in the same document.

Instructions for converting an HTTP server to use TLS and disabling SSLv3 can be found in its respective documentation.