3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM Installation Manager.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVE-ID: CVE-2014-3566
Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97013>_ for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
All versions of IBM Installation Manager.
None
IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3.
While it is not possible to disable SSLv3 in the IBM Installation Manager, you can use one of the options below to ensure it does not use the SSLv3 protocol.
Option #1: Use local paths to access repositories instead of HTTP servers
The IBM Installation Manager connects to package repositories to download product artifacts and instructions for installing it. Rather than using an HTTP server to host these repositories, you can access the repository using a local path.
A common way to do this is to host a repository on a network share that is accessible by any machine in your environment using a UNC path. You can use domain credentials to restrict access to respective repositories as needed.
Option #2: Upgrade to IBM Installation Manager 1.8.0 or newer and adopt the TLS protocol in your HTTP server
IBM Installation Manager 1.8.0 or newer can communicate with servers that use the TLS protocol. It is recommended that you upgrade all installations of Installation Manager to version 1.8.0 or later and convert all HTTP servers hosting package repositories to use the TLS protocol and disable SSLv3.
The “IBM Installation Manager Downloads” link in the references section of this document will take you to a page where you can find any version of Installation Manager that has been released. Click on the “Download Document” link to access the download document for the version of the IBM Installation Manager that you’d like to download. Before downloading and installing, we also recommend that you review the supported platforms by clicking the “Detailed System Requirements” link in the same document.
Instructions for converting an HTTP server to use TLS and disabling SSLv3 can be found in its respective documentation.
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%