Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBME42FE0E82C4CD079F3A942725651D824397BCFA95C8C2BC7F243A9042E12CCD8
HistoryJun 15, 2018 - 7:02 a.m.

Security Bulletin: Vulnerability in SSLv3 affects WebSphere Lombardi Edition (CVE-2014-3566)

2018-06-1507:02:05
www.ibm.com
14

EPSS

0.975

Percentile

100.0%

JSON

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in WebSphere Lombardi Edition.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: WebSphere Lombardi Edition could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects some versions and releases of** **WebSphere Lombardi Edition.

Remediation/Fixes

WebSphere Lombardi Edition completely relies on WebSphere Application Server to provide HTTPS capabilities.

IBM recommends that customers install an interim fix for the IBM JDK to disable SSLv3. For information on the required fix, refer to the the Remediation/Fixes section in the following bulletin: Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.

The eclipse based Process Designer tool includes another instance of the IBM SDK for Java. In order to also disable tolerance of SSLv3 connections from this development tool, please install IT05359 as appropriate for your version of WebSphere Lombardi Edition:

Workarounds and Mitigations

Customers who cannot or do not want to install the fix recommended in the “Remediation/Fixes” section of this security bulletin can disable the use of SSLv3 using manual configuration as described in “Workarounds and Mitigations” under the “Client configuration files” section in the following bulletin: Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)

Related

ibm 90
nessus 42
openvas 21
citrix 1
f5 1
hackerone 2
fedora 17
redhat 3
cert 1
cvelist 1
veracode 3
amazon 1
seebug 1
osv 2
centos 1
suse 1
cisco 1
fortinet 1
aix 1
securityvulns 2
checkpoint_security 1
freebsd 1
debian 1
prion 1
huawei 1
checkpoint_advisories 1
ibm
ibm
Security Bulletin: WebSphere Process Server Hypervisor Edition vulnerability (CVE-2014-3566)
2018-06-15 07:02:03
Security Bulletin:Vulnerabilities in Network Security Services (NSS) affect the IBM FlashSystem V840,(CVE-2014-3566)
2018-06-18 00:09:27
Security Bulletin: Vulnerability in SSLv3 affects IBM InfoSphere Optim Performance Manager (CVE-2014-3566)
2021-07-08 21:30:52
nessus
nessus
Mac OS X : OS X Server < 3.2.2 SSLv3 Information Disclosure (POODLE)
2014-10-21 00:00:00
Cisco Wireless LAN Controllers 5500 Series (POODLE)
2014-12-03 00:00:00
IBM Domino SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
2016-04-14 00:00:00
openvas
openvas
Fedora Update for claws-mail FEDORA-2014-14234
2014-11-11 00:00:00
Fedora Update for nodejs FEDORA-2014-15379
2014-12-15 00:00:00
Fedora Update for python-rhsm FEDORA-2014-13781
2014-11-07 00:00:00
citrix
citrix
CVE-2014-3566 - Citrix Security Advisory for SSLv3 Protocol Flaw
2014-10-14 04:00:00
f5
f5
K15702 : SSLv3 vulnerability CVE-2014-3566
2015-09-18 00:00:00
hackerone
hackerone
New Relic: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
2017-03-26 19:08:23
MariaDB: smtp service vulnerable to POODLE SSLv3
2019-03-24 06:26:55
fedora
fedora
[SECURITY] Fedora 20 Update: claws-mail-plugins-3.11.1-1.fc20
2014-11-10 06:30:28
[SECURITY] Fedora 21 Update: python-rhsm-1.13.6-1.fc21
2014-11-10 06:34:40
[SECURITY] Fedora 21 Update: libuv-0.10.29-1.fc21
2014-12-15 04:31:42
redhat
redhat
(RHSA-2015:1546) Important: node.js security update
2015-08-04 00:00:00
(RHSA-2014:1653) Moderate: openssl security update
2014-10-16 00:00:00
(RHSA-2015:1545) Important: node.js security update
2015-08-04 00:00:00
cert
cert
POODLE vulnerability in SSL 3.0
2014-10-17 00:00:00
cvelist
cvelist
CVE-2014-3566
2014-10-15 00:00:00
veracode
veracode
Information Disclosure
2017-02-07 00:05:45
Information Disclosure
2019-01-15 08:54:41
POODLE Attack
2017-04-27 06:54:17
amazon
amazon
Important: openssl
2014-10-14 22:32:00
seebug
seebug
SSL 3.0 POODLE(CVE-2014-3566)
2017-02-17 00:00:00
osv
osv
lighttpd - security update
2015-07-25 00:00:00
lighttpd - security update
2016-02-23 00:00:00
centos
centos
openssl security update
2014-10-16 15:21:39
suse
suse
Security update for suseRegister (important)
2015-01-05 21:04:43
cisco
cisco
SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
2014-10-15 18:30:00
fortinet
fortinet
SSL v3 "POODLE" Vulnerability
2014-10-15 00:00:00
aix
aix
Vulnerability in SSLv3 affects AIX,Vulnerability in SSLv3 affects VIOS
2015-06-17 09:52:06
securityvulns
securityvulns
TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack
2014-10-18 00:00:00
APPLE-SA-2014-10-16-4 OS X Server v3.2.2
2014-10-18 00:00:00
checkpoint_security
checkpoint_security
Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)
2014-10-13 21:00:00
freebsd
freebsd
asterisk -- Asterisk Susceptibility to POODLE Vulnerability
2014-10-20 00:00:00
debian
debian
[SECURITY] [DSA 3489-1] lighttpd security update
2016-02-23 18:26:27
prion
prion
Code injection
2014-10-15 00:55:00
huawei
huawei
Security Advisory-SSLv3 POODLE Vulnerability in Huawei Products
2014-12-15 00:00:00
checkpoint_advisories
checkpoint_advisories
Secure Socket Layer (SSL) Version 3.0 (CVE-2014-3566)
2014-10-15 00:00:00

EPSS

0.975

Percentile

100.0%

JSON
Related for E42FE0E82C4CD079F3A942725651D824397BCFA95C8C2BC7F243A9042E12CCD8
ibm90nessus42openvas21citrix1f51hackerone2fedora17redhat3cert1cvelist1veracode3amazon1seebug1osv2centos1suse1cisco1fortinet1aix1securityvulns2checkpoint_security1freebsd1debian1prion1huawei1checkpoint_advisories1