Security Bulletin: Vulnerability in SSLv3 affects IBM InfoSphere Optim Configuration Manager (CVE-2014-3566)

Summary

SSLv3 contains a vulnerability that is referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM® InfoSphere® Optim™ Configuration Manager.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: IBM InfoSphere Optim Configuration Manager could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM InfoSphere Optim Configuration Manager versions 2.1 and 2.2

IBM InfoSphere Optim Configuration Manager** **for Linux, UNIX, and Windows v3.1

IBM InfoSphere Optim Configuration Manager** **for z/OS® v3.1

IBM InfoSphere Optim Configuration Manager** **for Linux, UNIX, and Windows v3.1.0.1

| DB2® 9.7 Advanced Workgroup Server Edition,
DB2 10.1 Advanced Workgroup Server Edition

PDTX 1.0
DB2 Workgroup, DB2 Developer Edition, and
DB2 Advanced Server Edition 10.5

DB2 Admin Solution Pack 2.1
DB2 Connect Unlimited Advanced Edition 10.5

PDTx 1.0 FixPack 7

—|—

Remediation/Fixes

For InfoSphere Optim Configuration Managerv3.1.0 and v3.1.0.1, go to Fix Central to download the patch with instructions on how to apply the patch to the product. For InfoSphere Optim Configuration Managerv2.1, v2.1.1, v2.2, and v2.2.0.1, contact IBM Software Support.

The patch changes the InfoSphere Optim Configuration Manager** **server configuration to disable the SSLv3 protocol, and to only permit TLS 1.0 or higher for HTTPS connections.

If needed, you can re-enable the SSLv3 protocol after applying the patch.

To re-enable the SSLv3 protocol for HTTPS connections to the InfoSphere Optim Configuration Manager** **server:

1. Edit the server.xml configuration file in the InfoSphere Optim Configuration Manager** **installation directory at:

wlp/usr/servers/dsweb/SSLConfig.xml

2. Remove the following line and save the file.

<include optional="true" location="./TLSOnlyConfig.xml"/>

Note: You do not need to restart InfoSphere Optim Configuration Manager****for this change to take effect.

Important: IBM suggests that you review your entire environment to identify areas that enable the SSLv3 protocol and that you take appropriate mitigation and remediation actions. The most immediate mitigation action is to disable SSLv3.

Workarounds and Mitigations

InfoSphere Optim Configuration Manager relies on IBM WebSphere® Application Server (WAS) to manage the SSL protocol that is used for secure network connections. InfoSphere Optim Configuration Manager uses the WAS Liberty Profile.

Refer to the Workarounds and Mitigations section in this Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566). The following steps outline how to apply these mitigations to InfoSphere Optim Configuration Manager.

To specify the default SSL configuration to be used by IBM InfoSphere Optim Configuration Manager:

1. Edit the SSLConfig.xml file in the InfoSphere Optim Configuration Manager installation directory at:

wlp/usr/servers/dsweb/SSLConfig.xml

Before making any changes, verify that the contents of the SSLConfig.xml file looks like this:

<server>`` ``<keyStore id="defaultKeyStore" password="password"/>`` ``</server>

2. Add an ‘ssl’ element to specify the minimal level of security for the SSL protocol.

Set the “sslProtocol” attribute to ”TLS” to ensure that SSLv3 is no longer used.

After making these changes, the contents of the SSLConfig.xml file might look like this:

<server>`` ``**<ssl id="defaultSSLConfig"**`` ``** keyStoreRef="defaultKeyStore"**`` ``** sslProtocol="TLS" />**`` ``<keyStore id="defaultKeyStore" password="password"/>`` ``</server>

Note: If an ‘ssl’ element already exists, ensure that it includes the attribute**sslProtocol=“TLS”**. There is no need to modify the ‘keyStore’ entry, if you have customized it, for example to point to your own key store location, you can retain the entry as-is. You do not need to restart the web console server after this update.

**Important:**IBM strongly suggests that all System z® customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.