Summary

Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM HTTP Server.

Vulnerability Details

CVE-ID: CVE-2014-8730

DESCRIPTION:
IBM HTTP Server could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plain text of secure connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects all versions and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.

• Version 8.5.5
• Version 8.5
• Version 7.0
• Version 6.1
• Version 6.0

Remediation/Fixes

The recommended solutions is to apply the interim fix, Fix Pack or PTF containing APAR PI31516 for each named product as soon as practical. APAR PI31516 enables the strict CBC padding by default. The PI31516 interim fix for IBM HTTP Server (IHS) 7.0 and newer also includes the update for PI27904 (SSLV3 vulnerability CVE-2014-3566) which disables SSLv3 by default.

For affected IBM HTTP Server for WebSphere Application Server: For V8.5.0.0 through 8.5.5.4 Full Profile:

· Upgrade to a minimum of Fix Pack 8.5.5.2 or later then apply Interim Fix PI31516

--OR–
· Apply Fix Pack 8.5.5.5 or later.

**
For V8.0 through 8.0.0.10:**
· Upgrade to a minimum of Fix Pack 8.0.0.9 or later and then apply Interim Fix PI31516

--OR–
· Apply Fix Pack 8.0.0.11 or later.

**
For V7.0.0.0 through 7.0.0.35:**
· Upgrade to a minimum of Fix Pack 7.0.0.33 or later and then apply Interim Fix PI31516

--OR–
· Apply Fix Pack 7.0.0.37 or later.

For V6.1.0.0 through 6.1.0.47:
· Upgrade to Fix Pack 6.1.0.47 and then apply Interim Fix PI31516

**
For V6.0.0.0 through 6.0.2.43:**
· Upgrade to Fix Pack 6.0.2.43, contact IBM Support to get the Interim Fix for PI31516 and then apply the fix

Workarounds and Mitigations

For all versions and releases of Apache based IBM HTTP server, IBM recommends enabling strict CBC padding enforcement. Add the following directive to the httpd.conf file, for each context that contains “SSLEnable”, to enable strict CBC padding enforcement.

Enable strict CBC padding

SSLAttributeSet 471 1`` **NOTE:**Enabling strict CBC padding enforcement has the following prerequisites:

• Maintenance levels: 7.0.0.33, 8.0.0.9, 8.5.5.2 or later
  -- OR
• Any older fixpack/release with any one of the following interim fixes applied: PI05309, PI08502, PI09443, PI13422, PI19700, PI26894

Stop and restart IHS for the changes to take affect.
**
Note:**
If you start IHS with the -f command line argument, or you use the “Include” directive to include alternate configuration files, you may need to search those filenames for SSLEnable.
If you configure SSL with _SSLEnable in the global (non-virtualhost) scope, you will need to move SSLEnable into a virtualhost scope to add _SSLAttributeSet

You should verify applying this configuration change does not cause any compatibility issues.