4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
0.975 High
EPSS
Percentile
100.0%
Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM HTTP Server.
CVE-ID: CVE-2014-8730
DESCRIPTION:
IBM HTTP Server could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plain text of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
This vulnerability affects all versions and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.
The recommended solutions is to apply the interim fix, Fix Pack or PTF containing APAR PI31516 for each named product as soon as practical. APAR PI31516 enables the strict CBC padding by default. The PI31516 interim fix for IBM HTTP Server (IHS) 7.0 and newer also includes the update for PI27904 (SSLV3 vulnerability CVE-2014-3566) which disables SSLv3 by default.
For affected IBM HTTP Server for WebSphere Application Server: For V8.5.0.0 through 8.5.5.4 Full Profile:
· Upgrade to a minimum of Fix Pack 8.5.5.2 or later then apply Interim Fix PI31516
--OR–
· Apply Fix Pack 8.5.5.5 or later.
**
For V8.0 through 8.0.0.10:**
· Upgrade to a minimum of Fix Pack 8.0.0.9 or later and then apply Interim Fix PI31516
--OR–
· Apply Fix Pack 8.0.0.11 or later.
**
For V7.0.0.0 through 7.0.0.35:**
· Upgrade to a minimum of Fix Pack 7.0.0.33 or later and then apply Interim Fix PI31516
--OR–
· Apply Fix Pack 7.0.0.37 or later.
For V6.1.0.0 through 6.1.0.47:
· Upgrade to Fix Pack 6.1.0.47 and then apply Interim Fix PI31516
**
For V6.0.0.0 through 6.0.2.43:**
· Upgrade to Fix Pack 6.0.2.43, contact IBM Support to get the Interim Fix for PI31516 and then apply the fix
For all versions and releases of Apache based IBM HTTP server, IBM recommends enabling strict CBC padding enforcement. Add the following directive to the httpd.conf file, for each context that contains “SSLEnable”, to enable strict CBC padding enforcement.
SSLAttributeSet 471 1``
**NOTE:**Enabling strict CBC padding enforcement has the following prerequisites:
PI05309, PI08502, PI09443, PI13422, PI19700, PI26894
Stop and restart IHS for the changes to take affect.
**
Note:**
If you start IHS with the -f command line argument, or you use the “Include” directive to include alternate configuration files, you may need to search those filenames for SSLEnable.
If you configure SSL with _SSLEnable in the global (non-virtualhost) scope, you will need to move SSLEnable into a virtualhost scope to add _SSLAttributeSet
You should verify applying this configuration change does not cause any compatibility issues.
CPE | Name | Operator | Version |
---|---|---|---|
ibm http server | eq | 8.5.5 | |
ibm http server | eq | 8.5 | |
ibm http server | eq | 8.0 | |
ibm http server | eq | 7.0 | |
ibm http server | eq | 6.1 | |
ibm http server | eq | 6.0.2 |
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
0.975 High
EPSS
Percentile
100.0%