3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSL_TLS is enabled by default in embedded Build Forge in some pages.
| Subscribe to My Notifications to be notified of important product support alerts like this.
CVE ID: CVE-2014-3566** **
**Description:**IBM WebSphere Application could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3 **CVSS Temporal Score:**See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/97013>_ for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Rational Automation Framework 3.0.1, 3.0.1.1, 3.0.1.2, and 3.0.1.3 on all supported platforms.
None
You can change the configuration file by the following steps to disable the SSLv3.
**Note:**rafinstall is used below to represent the installation directory you have chosen to place Rational Automation Framework.
Procedure:
1. Open embedded Build Forge console in browser at http://<rafconsole>/bfui
2. Go to Administration > Security-SSL
3. Change all the SSL_TLS/SSLv3/SSL to TLSv1 and save
4. Backup the bfclient.conf
file
bfclient.conf
is under \rafinstall on Windowsbfclient.conf
is under /rafinstall/<platform> on Linux and UNIX5. Go to Administration > Security
6. Click **Update Master BFClient.conf
**7. Stop Rational Automation Framework
8. Change the Apache ssl.conf
config file
ssl.conf
is under *\rafinstall\Apache\Conf\ssl* on Windowsssl.conf
is under /rafinstall/server/apache/conf/ssl/ on Linux and UNIX9. Update the following line
From: SSLProtocol -ALL +SSLv3 +TLSv1
To: SSLProtocol -ALL +TLSv1
10. Change the Tomcat server.conf
config
By default the server.conf
is under *\rafinstall\Apache\tomcat\conf* on Windows
By default the server.conf
is under /rafinstall/server/tomcat/conf/ on Linux and UNIX
11. Find the sslProtocol="SSL_TLS"
line and change the SSL_TLS
to TLS and save
Note: If Rational Automation Framework is installed with WebSphere Application Server, this step is not required
12. Start Rational Automation Framework
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N