Security Bulletin: Vulnerability in SSLv3 affects FileNet Content Manager, FileNet BPM and IBM Content Foundation (CVE-2014-3566)

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is a configurable option in FileNet Content Manager and FileNet BPM products. If using SSLv3 with these products, please refer to the sections below to remediate the POODLE security vulnerability.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: A remote attacker could obtain sensitive information, caused by a design error with the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)*

Affected Products and Versions

IBM FileNet Content Manager 5.0.0, 5.1.0, 5.2.0, 5.2.1 (includes CE, CSS and CFS)
IBM Content Foundation 5.2.0, 5.2.1 (includes CPE and CSS)
IBM FileNet Business Process Manager 4.5.1, 5.0.0

Remediation/Fixes

Upgrade to Java Runtime Environment (JRE) 1.6.0 SR16 FP2 or higher where SSLv3 is disabled by default to avoid the POODLE security vulnerability. By installing the applicable fixes in the table below, the private IBM JRE used by Process Engine (PE), Content Engine (CE/CPE) and Content Search Services (CSS) will be updated to 1.6.0 SR16 FP2.

5.2.0

5.2.1| 5.0.0.3-P8CE-FP003 - May 19, 2015
5.1.0.5-P8CE-FP005 - Jan 29, 2015
5.1.0.0-P8CSS-IF010 - Jan 29, 2015
5.2.0.3-P8CPE-IF005 - Mar 10, 2015
5.2.0.2-P8CSS-IF002 - Mar 10, 2015
5.2.1.0-P8CPE-IF002 - April 8, 2015
5.2.1.0-P8CSS-IF001 - April 8, 2015
IBM Content Foundation| 5.2.0

5.2.1| 5.2.0.3-P8CPE-IF005 - Mar 10, 2015
5.2.0.2-P8CSS-IF002 - Mar 10, 2015
5.2.1.0-P8CPE-IF002 - April 8, 2015
5.2.1.0-P8CSS-IF001 - April 8, 2015
FileNet Business Process Manager| 4.5.1
5.0.0| 4.5.1.4-P8PE-IF007 - April 8, 2015
5.0.0.7-P8PE-IF001 - Dec 10, 2014
5.0.0.8-P8PE-FP008 - Jan 29, 2015

IBM recommends that you review your entire environment to identify products and components that enable the SSLv3 protocol. The only way to truly mitigate the SSLv3 security vulnerability is to disable the SSLv3 protocol. To establish secure connections between components, there are other protocols such as the Transport Layer Security (TLS) protocol that can be used.

The SSLv3 vulnerability must be addressed at 2 different levels, the FileNet P8** level** and theapplication server**** level.

At the FileNet P8 level (which includes Content Engine (CE/CPE), Process Engine (PE) and Content Search Services (CSS)), upgrade to the appropriate releases listed in the table above.

At the application server level (where Content Engine (CE/CPE) and Content Federated Services (CFS) reside) - WebSphere:

1. Apply the appropriate Interim Fix listed in this Security Bulletin:
   http://www.ibm.com/support/docview.wss?uid=swg21687173
2. Configure one of the following SSL protocol options on the CE/CPE and CFS WebSphere Application Servers: TLS, TLSv1, TLSv1.1, TLSv1.2, SSL_TLS, SSL_TLSv2

- WebLogic, JBoss:
Either upgrade the application server Java Runtime Environment (JRE) to SR16 FP2 or higher or disable SSLv3 using the links in the Workarounds and Mitigations section below.

The CE/CPE Client Downloader now supports the Transport Layer Security (TLS) protocol as an alternative to the SSLv3 protocol in the releases listed in the table above. CE/CPE clients that use the Content Engine (CE/CPE) Client Download API, such as ICN Configuration Manager and Content Federation Services setup, should also be upgraded to JRE SR16 FP2 or higher.

Workarounds and Mitigations

Content Federation Services (CFS)
Content Federation Services (CFS) uses SSLv3 with the CE/CPE Client Downloader. For 5.2.0.2-CFS-FP002 and prior, launch the CFS installer program specifying JRE SR16 FP2 or higher to use the TLS protocol instead of SSLv3.
The command syntax is:

<Executable file name for CFS installer> LAX_VM <SR16FP2 Java executable>
For example:
(Windows)
5.1.0-CFS-WIN.EXE LAX_VM
C:\Program Files (x86)\Java\JRE6_SR16FP2\bin\java.exe

(UNIX)
./5.1.0-CFS-<PLATFORM>.BIN LAX_VM /opt/ibm-java-jre-6.0-16.2-i386/jre/bin/java

Content Search Services (CSS)
If unable to upgrade to the appropriate CSS release (5.1.0.0-P8CSS-IF010, 5.2.0.2-P8CSS-IF002 or 5.2.1.0-P8CSS-IF001), that automatically disables SSLv3, the procedure to disable SSLv3 can be performed manually, following the steps below.

1. Add the following to the last line in the Content Search Services (CSS) startup script. (It can be added after the shutdown on OOM parameter) -Dcom.ibm.jsse2.usefipsprovider=true

2. In the file [ECMTS_HOME]\Java60\jre\lib\security\java.security change the lines:
   #ssl.SocketFactory.provider=
   #ssl.ServerSocketFactory.provider=
   to
   ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
   ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

3. Also in the file [ECMTS]\Java60\jre\lib\security\java.security change the lines:
   security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
   security.provider.2=com.ibm.crypto.provider.IBMJCE
   security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
   security.provider.4=com.ibm.security.cert.IBMCertPath
   security.provider.5=com.ibm.security.sasl.IBMSASL
   security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
   security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
   security.provider.8=org.apache.harmony.security.provider.PolicyProvider
   security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
   to
   security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
   security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
   security.provider.3=com.ibm.crypto.provider.IBMJCE
   security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
   security.provider.5=com.ibm.security.cert.IBMCertPath
   security.provider.6=com.ibm.security.sasl.IBMSASL
   security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
   security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
   security.provider.9=org.apache.harmony.security.provider.PolicyProvider
   security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
   (The second row was added and then all the numbers were increased by 1)

If unable to install JRE SR16 FP2 or higher on the Content Engine (CE/CPE) server, Content Federated Services (CFS) server, and ECM clients (as is the case for WebLogic or JBoss configurations), the following links describe how to disable SSLv3 at the application server level.

How to disable SSLv3 for WebSphere:
http://www.ibm.com/support/docview.wss?uid=swg21687173

How to disable SSLv3 for JBoss:
<https://access.redhat.com/solutions/1232233&gt;

How to disable SSLv3 for WebLogic:
https://support.oracle.com/rs?type=doc&id=1936300.1