Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in the Apache based IBM HTTP Server.

Vulnerability Details

CVE ID: CVE-2014-3566**
DESCRIPTION: **IBM HTTP Server could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects all versions and releases of IBM HTTP Server (IHS) component in all editions of WebSphere Application Server and bundling products.

Remediation/Fixes

There is no separate interim fix for the PI27904 APAR that is associated with this issue, but the interim fix for APAR PI31516 (TLS Padding Vulnerability CVE-2014-8730) includes the update for APAR PI27904. APAR PI27904 update disables SSLv3 by default for IHS 7.0 and newer, and adds the ‘SSLProtocolEnable’ directive into IHS 7.0.
The update for PI27904 will be included in fix packs 7.0.0.37, 8.0.0.10 and 8.5.5.4.

Workarounds and Mitigations

For all releases and versions of Apache based IBM HTTP Server, IBM recommends disabling SSLv3:

Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains “SSLEnable”:

Disable SSLv3 for CVE-2014-3566

SSLv2 is disabled in V8R0 and later by default, and in typical V7

and earlier configurations disabled implicitly when SSLv3 ciphers

are configured with SSLCipherSpec.

SSLProtocolDisable SSLv3 SSLv2

Stop and restart IHS for the changes to take affect.

Note:

• If you start IHS with the -f command line argument, or you use the “Include” directive to include alternate configuration files, you may need to search those filenames for SSLEnable.
• If you configure SSL with _SSLEnable _in the global (non-virtualhost) scope, you will need to move SSLEnable into a virtualhost scope to add SSLProtocolDisable

IBM recommends that you review your entire environment to identify other areas that enable SSLv3 protocol and take appropriate mitigation (such as disabling SSLv3) and remediation actions.

Get Notified about Future Security Bulletins

Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html&gt;) to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

HTTPS advisor fails when SSLv3 is disabled on backend servers

TLS Padding vulnerability CVE-2014-8730

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

15 October 2014: original document published
03 November 2014: added extra notes
02 December 2014: added link to reference section
28 January 2015: added links to CVE-2014-8730

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{“Product”:{“code”:“SSEQTJ”,“label”:“IBM HTTP Server”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“SSL”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF035”,“label”:“z/OS”}],“Version”:“8.5.5;8.5;8.0;7.0;6.1”,“Edition”:“All Editions”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]