SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is a configurable option in FileNet Content Manager and FileNet BPM products. If using SSLv3 with these products, please refer to the sections below to remediate the POODLE security vulnerability.
CVE-ID: CVE-2014-3566
DESCRIPTION: A remote attacker could obtain sensitive information, caused by a design error with the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)*
IBM FileNet Content Manager 5.0.0, 5.1.0, 5.2.0, 5.2.1 (includes CE, CSS and CFS)
IBM Content Foundation 5.2.0, 5.2.1 (includes CPE and CSS)
IBM FileNet Business Process Manager 4.5.1, 5.0.0
Upgrade to Java Runtime Environment (JRE) 1.6.0 SR16 FP2 or higher where SSLv3 is disabled by default to avoid the POODLE security vulnerability. By installing the applicable fixes in the table below, the private IBM JRE used by Process Engine (PE), Content Engine (CE/CPE) and Content Search Services (CSS) will be updated to 1.6.0 SR16 FP2.
Product | VRMF | Remediation/First Fix Available |
---|---|---|
FileNet Content Manager | 5.0.0 | |
5.1.0 |
5.2.0
5.2.1| 5.0.0.3-P8CE-FP003 - May 19, 2015
5.1.0.5-P8CE-FP005 - Jan 29, 2015
5.1.0.0-P8CSS-IF010 - Jan 29, 2015
5.2.0.3-P8CPE-IF005 - Mar 10, 2015
5.2.0.2-P8CSS-IF002 - Mar 10, 2015
5.2.1.0-P8CPE-IF002 - April 8, 2015
5.2.1.0-P8CSS-IF001 - April 8, 2015
IBM Content Foundation| 5.2.0
5.2.1| 5.2.0.3-P8CPE-IF005 - Mar 10, 2015
5.2.0.2-P8CSS-IF002 - Mar 10, 2015
5.2.1.0-P8CPE-IF002 - April 8, 2015
5.2.1.0-P8CSS-IF001 - April 8, 2015
FileNet Business Process Manager| 4.5.1
5.0.0| 4.5.1.4-P8PE-IF007 - April 8, 2015
5.0.0.7-P8PE-IF001 - Dec 10, 2014
5.0.0.8-P8PE-FP008 - Jan 29, 2015
IBM recommends that you review your entire environment to identify products and components that enable the SSLv3 protocol. The only way to truly mitigate the SSLv3 security vulnerability is to disable the SSLv3 protocol. To establish secure connections between components, there are other protocols such as the Transport Layer Security (TLS) protocol that can be used.
The SSLv3 vulnerability must be addressed at 2 different levels, the FileNet P8** level** and theapplication server**** level.
At the FileNet P8 level (which includes Content Engine (CE/CPE), Process Engine (PE) and Content Search Services (CSS)), upgrade to the appropriate releases listed in the table above.
At the application server level (where Content Engine (CE/CPE) and Content Federated Services (CFS) reside) - WebSphere:
- WebLogic, JBoss:
Either upgrade the application server Java Runtime Environment (JRE) to SR16 FP2 or higher or disable SSLv3 using the links in the Workarounds and Mitigations section below.
The CE/CPE Client Downloader now supports the Transport Layer Security (TLS) protocol as an alternative to the SSLv3 protocol in the releases listed in the table above. CE/CPE clients that use the Content Engine (CE/CPE) Client Download API, such as ICN Configuration Manager and Content Federation Services setup, should also be upgraded to JRE SR16 FP2 or higher.
Content Federation Services (CFS)
Content Federation Services (CFS) uses SSLv3 with the CE/CPE Client Downloader. For 5.2.0.2-CFS-FP002 and prior, launch the CFS installer program specifying JRE SR16 FP2 or higher to use the TLS protocol instead of SSLv3.
The command syntax is:
<Executable file name for CFS installer> LAX_VM <SR16FP2 Java executable>
For example:
(Windows)
5.1.0-CFS-WIN.EXE LAX_VM
C:\Program Files (x86)\Java\JRE6_SR16FP2\bin\java.exe
(UNIX)
./5.1.0-CFS-<PLATFORM>.BIN LAX_VM /opt/ibm-java-jre-6.0-16.2-i386/jre/bin/java
Content Search Services (CSS)
If unable to upgrade to the appropriate CSS release (5.1.0.0-P8CSS-IF010, 5.2.0.2-P8CSS-IF002 or 5.2.1.0-P8CSS-IF001), that automatically disables SSLv3, the procedure to disable SSLv3 can be performed manually, following the steps below.
Add the following to the last line in the Content Search Services (CSS) startup script. (It can be added after the shutdown on OOM parameter) -Dcom.ibm.jsse2.usefipsprovider=true
In the file [ECMTS_HOME]\Java60\jre\lib\security\java.security change the lines:
#ssl.SocketFactory.provider=
#ssl.ServerSocketFactory.provider=
to
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
Also in the file [ECMTS]\Java60\jre\lib\security\java.security change the lines:
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
to
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
(The second row was added and then all the numbers were increased by 1)
If unable to install JRE SR16 FP2 or higher on the Content Engine (CE/CPE) server, Content Federated Services (CFS) server, and ECM clients (as is the case for WebLogic or JBoss configurations), the following links describe how to disable SSLv3 at the application server level.
How to disable SSLv3 for WebSphere:
http://www.ibm.com/support/docview.wss?uid=swg21687173
How to disable SSLv3 for JBoss:
<https://access.redhat.com/solutions/1232233>
How to disable SSLv3 for WebLogic:
https://support.oracle.com/rs?type=doc&id=1936300.1