Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMC93810737B3A9011D99C779B457DD2804810F029C1CFDF10E0422BE2BEB65D2D
HistoryJun 16, 2018 - 7:40 p.m.

Security Bulletin: IBM WebSphere Transformation Extender Secure Adapter Collection vulnerabilities: RSA BSAFE-C (CVE-2014-4191, CVE-2014-4192) and SSLv3 (CVE-2014-3566)

2018-06-1619:40:57
www.ibm.com
25

0.975 High

EPSS

Percentile

100.0%

JSON

Summary

EMC RSA BSAFE-C Toolkits, utilized by WebSphere Transformation Extender Secure Adapter Collection, could allow a remote attacker to obtain sensitive information.

Additionally, SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in WebSphere Transformation Extender Secure Adapter Collection.

Vulnerability Details

CVE ID:CVE-2014-4192

Description: EMC RSA BSAFE-C Toolkits could allow a remote attacker to obtain sensitive information, caused by the processing of certain requests for output bytes by the Dual_EC_DRBG implementation. By recovering the algorithm’s inner state, an attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93832&gt;[](&lt;https://exchange.xforce.ibmcloud.com/vulnerabilities/92844&gt;) for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE ID:CVE-2014-4191

Description: EMC RSA BSAFE-C Toolkits could allow a remote attacker to obtain sensitive information, caused by the sending of a long series of random bytes during use of the Dual_EC_DRBG algorithm by the TLS implementation. By recovering the algorithm’s inner state, an attacker could exploit this vulnerability to obtain sensitive information.

CVSS Base Score: 5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93833&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3 **CVSS Temporal Score:**See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

WTX Secure Adapters Collection 8.4.1.0 - 8.4.1.2

WTX Secure Adapters Collection 8.4.0.0 - 8.4.0.5

WTX Secure Adapters Collection 8.3.0.0 - 8.3.0.6

WTX Secure Adapters Collection 8.2.0.0 - 8.2.0.6

WTX Secure Adapters Collection 8.1.0.0 - 8.1.0.5

Remediation/Fixes

Download and install the interim fix for APAR PI29359 from IBM Fix Central:
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Transformation+Extender&release=All&platform=All&function=aparId&apars=PI29359

For releases running HP-UX on PA-RISC, contact IBM Support to request the fix.

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3.

Workarounds and Mitigations

None.

Related

freebsd 1
redhat 2
nessus 33
openvas 20
centos 1
hackerone 3
paloalto 1
fedora 13
ubuntucve 1
debiancve 1
ibm 101
securityvulns 2
veracode 2
nvd 1
threatpost 1
hp 1
cert 1
amazon 2
citrix 1
osv 1
cvelist 1
f5 1
seebug 1
virtuozzo 1
checkpoint_advisories 1
mageia 1
arista 1
debian 2
cve 1
freebsd
freebsd
davmail -- fix potential CVE-2014-3566 vulnerability (POODLE)
2014-10-27 00:00:00
redhat
redhat
(RHSA-2014:1948) Important: nss, nss-util, and nss-softokn security, bug fix, and enhancement update
2014-12-02 00:00:00
(RHSA-2015:1546) Important: node.js security update
2015-08-04 00:00:00
nessus
nessus
Fedora 21 : fossil-1.33-1.fc21 (2015-9090) (POODLE)
2015-10-16 00:00:00
Fedora 20 : claws-mail-3.11.1-2.fc20 / claws-mail-plugins-3.11.1-1.fc20 / libetpan-1.6-1.fc20 (2014-14234) (POODLE)
2014-11-11 00:00:00
AIX 6.1 TL 9 : nettcp (IV73324) (POODLE)
2015-06-19 00:00:00
openvas
openvas
Amazon Linux: Security Advisory (ALAS-2014-426)
2015-09-08 00:00:00
Fedora Update for claws-mail-plugins FEDORA-2014-14234
2014-11-11 00:00:00
Fedora Update for libetpan FEDORA-2014-14234
2014-11-11 00:00:00
centos
centos
nss security update
2014-12-03 22:45:56
hackerone
hackerone
X (Formerly Twitter): POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204)
2017-11-09 21:44:16
Semrush: SSLv3 Poodle Attack on Ip Of semrush
2018-02-22 16:43:36
New Relic: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
2017-03-26 19:08:23
paloalto
paloalto
SSL 3.0 MITM Attack
2014-10-20 07:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: subscription-manager-1.13.6-1.fc20
2014-11-07 02:36:51
[SECURITY] Fedora 20 Update: libuv-0.10.29-1.fc20
2014-12-15 04:34:00
[SECURITY] Fedora 19 Update: nodejs-0.10.33-1.fc19
2014-12-15 04:35:14
ubuntucve
ubuntucve
CVE-2014-3566
2014-10-14 00:00:00
debiancve
debiancve
CVE-2014-3566
2014-10-15 00:55:02
ibm
ibm
Security Bulletin: A security vulnerability has been identified in IBM Tivoli Directory Server shipped with AIX/VIOS (CVE-2014-3566)
2021-09-15 12:14:52
Security Bulletin: Vulnerability in SSLv3 affects IBM Rational ClearCase (CVE-2014-3566)
2018-07-10 08:34:12
Security Bulletin: Vulnerability in SSLv3 affects Rational Insight (CVE-2014-3566)
2018-06-17 04:57:41
securityvulns
securityvulns
APPLE-SA-2014-10-16-2 Security Update 2014-005
2014-10-18 00:00:00
APPLE-SA-2014-10-16-5 OS X Server v2.2.5
2014-10-18 00:00:00
veracode
veracode
POODLE Attack
2017-05-03 05:12:56
Information Disclosure
2017-02-07 00:05:45
nvd
nvd
CVE-2014-3566
2014-10-15 00:55:02
threatpost
threatpost
OpenSSL Releases Patch for POODLE Attack
2014-10-16 10:29:53
hp
hp
HPSBPI03360 rev.5 - HP LaserJet Printers and MFPs, HP OfficeJet Printers and MFPs, and HP JetDirect Networking cards using OpenSSL, Remote Disclosure of Information
2015-06-19 00:00:00
cert
cert
POODLE vulnerability in SSL 3.0
2014-10-17 00:00:00
amazon
amazon
Important: openssl
2014-10-14 22:32:00
Important: nss
2014-10-16 22:14:00
citrix
citrix
CVE-2014-3566 - Citrix Security Advisory for SSLv3 Protocol Flaw
2014-10-14 04:00:00
osv
osv
lighttpd - security update
2015-07-25 00:00:00
cvelist
cvelist
CVE-2014-3566
2014-10-15 00:00:00
f5
f5
K15702 : SSLv3 vulnerability CVE-2014-3566
2015-09-18 00:00:00
seebug
seebug
SSL 3.0 POODLE(CVE-2014-3566)
2017-02-17 00:00:00
virtuozzo
virtuozzo
Important product update: Virtuozzo PowerPanel RTM Hotfix 3 (7.0.1-415)
2017-09-20 00:00:00
checkpoint_advisories
checkpoint_advisories
Secure Socket Layer (SSL) Version 3.0 (CVE-2014-3566)
2014-10-15 00:00:00
mageia
mageia
Updated ruby-httpclient package enables SSL negotiation
2014-11-26 20:29:06
arista
arista
Security Advisory 0007
2014-10-20 00:00:00
debian
debian
[SECURITY] [DLA 282-1] lighttpd security update
2015-07-25 14:29:15
[SECURITY] [DSA 3489-1] lighttpd security update
2016-02-23 18:26:27
cve
cve
CVE-2014-3566
2014-10-15 00:55:02

0.975 High

EPSS

Percentile

100.0%

JSON
Related for C93810737B3A9011D99C779B457DD2804810F029C1CFDF10E0422BE2BEB65D2D
freebsd1redhat2nessus33openvas20centos1hackerone3paloalto1fedora13ubuntucve1debiancve1ibm101securityvulns2veracode2nvd1threatpost1hp1cert1amazon2citrix1osv1cvelist1f51seebug1virtuozzo1checkpoint_advisories1mageia1arista1debian2cve1