Security Bulletin: Rational Automation Framework Security Advisory (CVE-2014-3566)

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSL_TLS is enabled by default in embedded Build Forge in some pages.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE ID: CVE-2014-3566** **
**Description:**IBM WebSphere Application could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97013&gt;_ for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Rational Automation Framework 3.0.1, 3.0.1.1, 3.0.1.2, and 3.0.1.3 on all supported platforms.

Remediation/Fixes

None

Workarounds and Mitigations

You can change the configuration file by the following steps to disable the SSLv3.

**Note:**rafinstall is used below to represent the installation directory you have chosen to place Rational Automation Framework.

Procedure:

1. Open embedded Build Forge console in browser at http://<rafconsole>/bfui

2. Go to Administration > Security-SSL

3. Change all the SSL_TLS/SSLv3/SSL to TLSv1 and save

4. Backup the bfclient.conf file

• By default the bfclient.conf is under \rafinstall on Windows
• By default the bfclient.conf is under /rafinstall/<platform> on Linux and UNIX

5. Go to Administration > Security

6. Click **Update Master BFClient.conf

**7. Stop Rational Automation Framework

8. Change the Apache ssl.conf config file

• By default the ssl.conf is under *\rafinstall\Apache\Conf\ssl* on Windows
• By default the ssl.conf is under /rafinstall/server/apache/conf/ssl/ on Linux and UNIX

9. Update the following line

• From: SSLProtocol -ALL +SSLv3 +TLSv1 To: SSLProtocol -ALL +TLSv1
  10. Change the Tomcat server.conf config

• By default the server.conf is under *\rafinstall\Apache\tomcat\conf* on Windows

• By default the server.conf is under /rafinstall/server/tomcat/conf/ on Linux and UNIX

11. Find the sslProtocol="SSL_TLS" line and change the SSL_TLS to TLS and save

Note: If Rational Automation Framework is installed with WebSphere Application Server, this step is not required

12. Start Rational Automation Framework