Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)


original link: http://www-01.ibm.com/support/docview.wss?uid=swg21687173

Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in IBM WebSphere Application Server.

Vulnerability Details

CVE ID: CVE-2014-3566
DESCRIPTION:
IBM WebSphere Application could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects all versions and releases of IBM WebSphere Application Server, IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile and IBM WebSphere Application Server Hypervisor Edition.

Remediation/Fixes

Please refer to the Security Bulletin for IBM HTTP Server to remediate your webserver.

If you have SSL hard coded in your application code, such as SSLContext.getInstance("SSL") then you should install the interim fixes listed below since the current implementation defaults that context to SSLv3. The interim fix is an enhancement in the IBM JDK.

The following table lists some common standard protocol label names for Java 5 and above:

ProtocolPrior to this fixAfter this fix
SSLSSL v3.0see chart below
SSLv3SSL v3.0Connection will fail
TLSTLS v1.0 (defined in RFC 2246)TLS v1.0 (defined in RFC 2246)
TLSv1TLS v1.0 (defined in RFC 2246)TLS v1.0 (defined in RFC 2246)
TLSv1.1TLS v1.1 (defined in RFC 4346)TLS v1.1 (defined in RFC 4346)
TLSv1.2TLS v1.2 (defined in RFC 5246)TLS v1.2 (defined in RFC 5246)
SSL_TLSEnables all SSL V3.0 and TLS 1.0 protocolsTLS 1.0
SSL_TLSv2Enables all SSL V3.0 and TLS 1.0, 1.1 and 1.2 protocolsTLS 1.0, 1.1 and 1.2 protocols

The IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server will be updated per the chart below, so that SSL Protocol alias label of "SSL" would mean the TLS levels marked.

Java Version
TLS 1.0
TLS 1.1
TLS 1.2
Java 7 Server
x
x
x
Java 7 Client
x
Java 6
x
Java 5
x
The interim fixes will disable SSLv3 by default. If you need to change that value, then there is a new java system property to enable SSLv3 with the protocols listed above. Set the system property either statically or dynamically as described in the product documentation for the IBM SDK Java Technology Edition you are using or in the Setting generic JVM arguments technote

-Dcom.ibm.jsse2.disableSSLv3=false  


For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition :

If using Installation Manager 1.7.3.1 or older, please refer to the reference section and upgrade to Installation Manager 1.8 or newer.

Download and apply the interim fix APARs below, for your appropriate release:

For V8.5.0.0 through 8.5.5.3 Full Profile and Liberty Profile IM install:

  • Apply Interim Fix PI28435: Will upgrade you to IBM Java SDK Version 7R1 Service Refresh 1 Fix Pack 1 (optional) + APAR IV66110 for change to disable SSLv3 by default
  • Apply Interim Fix PI28436: Will upgrade you to IBM Java SDK Version 7 Service Refresh 7 Fix Pack 1 (optional) + APAR IV66110 for change to disable SSLv3 by default
  • Apply Interim Fix PI28437: Will upgrade you to IBM Java SDK Version 6R1 Service Refresh 8 Fix Pack 1 (required) + APAR IV66110 for change to disable SSLv3 by default
--OR--
  • Apply IBM Java SDK shipped with the WebSphere Application Server Fix pack 8.5.5.4 or later.

For 8.0.0.0 through 8.0.0.9:
  • Apply Interim Fix PI28438: Will upgrade you to IBM Java SDK Version 6R1 Service Refresh 8 Fix Pack 1 + APAR IV66110 for change to disable SSLv3 by default
--OR--
  • Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 10 (8.0.0.10) or later.

For V7.0.0.0 through 7.0.0.35:
  • Apply Interim Fix PI28439: Will upgrade you to IBM Java SDK Version 6 Service Refresh 16 Fix Pack 1 + APAR IV66110 for change to disable SSLv3 by default
--OR--
  • Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 37 (7.0.0.37) or later.

For V6.1.0.0 through 6.1.0.47:
  • Apply Interim Fix PI28796 : Will upgrade you to IBM Java SDK Version 5.0 Service Refresh 16 Fix Pack 7 + APAR IV66111 for change to disable SSLv3 by default.

For IBM WebSphere Application Server Liberty Profile not using IM install

Please refer to the vendor that supplies you SDK. For users of the IBM SDK, Java Technology Edition please refer to this security bulletin: IBM SDK, Java Technology Edition fixes to mitigate against the POODLE security vulnerability

For IBM WebSphere Application Server for i5/OS operating systems:

The IBM Developer Kit for Java is prerequisite software for WebSphere Application Server for IBM i. Please refer to Java on IBM i for updates on when these fixes will be available.

Workarounds and Mitigations

None. Please apply Interim Fix or Fix Packs.

IBM recommends that you review your entire environment to identify other areas that enable SSLv3 protocol and take appropriate mitigation (such as disabling SSLv3) and remediation actions.

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值