3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in Rational Insight.
CVE-ID: CVE-2014-3566
Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/97013> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Rational Insight 1.1, 1.1.1, 1.1.1.1, 1.1.1.2, 1.1.1.4, 1.1.1.5 and 1.1.1.6
Apply the recommended fixes to all affected versions of Rational Insight.
Rational Insight 1.1
Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2
Rational Insight 1.1.1.4, 1.1.1.5 and 1.1.1.6
SSL secured communication occurs between client and server, for example between a Web browser and a Web server on which the Rational Insight is installed and configured. To mitigate this issue and protect against POODLE attack, it is enough to secure either the Web browser or the server (or both). One suggestion is to secure the Web server into which DCC and/or JRS are installed and configured.
See the following links for general information on how to disable SSLv3 in Apache Tomcat and IBM WebSphere:
Also reference http://www.ibm.com/support/docview.wss?uid=swg21687762 for additional information specific to the Jazz Team Server that may be used by DCC and/or JRS.
IBM recommends that you review your entire environment to identify other areas that enable the SSLv3 protocol and take appropriate mitigation such as disabling SSLv3 and remediation actions.
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N