Security Bulletin: Vulnerability in SSLv3 affects IBM Platform Symphony (CVE-2014-3566)

Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in Platform Symphony.

Vulnerability Details

CVE-ID: CVE-2014-3566

DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Platform Symphony v5.2, v6.1.x

Remediation/Fixes

None

Workarounds and Mitigations

IBM recommends that you review your entire environment to identify other areas that enable the SSLv3 protocol and take appropriate mitigation such as disabling SSLv3 and remediation actions.

Complete the steps below to use a RC4 cipher such as RC4-MD5 or RC4-SHA.

1. Open the ego.conf file on the management host using a text editor. The location of the file is defined in the EGO_CONFDIR environment variable.
2. Set the EGO_TRANSPORT_SECURITY parameter to SSL.
3. Set EGO_DEFAULT_TS_PARAMS.

For example:

(Linux/UNIX)

EGO_DEFAULT_TS_PARAMS="SSL[CERTIFICATE=/etc/symcert.pem,CIPHER=``EDH-RSA-DES-CBC3-SHA``,PRIVATE_KEY=/etc/symkey.pem]"

(Windows)

EGO_DEFAULT_TS_PARAMS="SSL[CERTIFICATE=C:\xxc\newcert.pem,CIPHER=``EDH-RSA-DES-CBC3-SHA``,PRIVATE_KEY=C:\xxc\newkey.pem]"

Note: In most cases, EGO_KyesD_TS_PARAMS and ESC_TS_PARAMS do not need to be defined as VEMKD and the Service Controller will use the SSL parameters in EGO_DEFAULT_TS_PARAMS by default.

4. Assign a SSL port number to the EGO_KD_TS_PORT parameter.
5. Open the ego.conf file on the client host using a text editor.
6. For EGO_CLIENT_TS_PARAMS, enable server authentication.

For example:

(Linux/UNIX)

EGO_CLIENT_TS_PARAMS="SSL[CAFILE=/home/.../cacert.pem, CIPHER=``EDH-RSA-DES-CBC3-SHA``,SERVER_AUTH={myCN}"

(Windows)

EGO_CLIENT_TS_PARAMS="SSL[CIPHER=``EDH-RSA-DES-CBC3- SHA``,CAFILE=C:\xxc\demoCA\cacert.pem,SERVER_AUTH={myCN}]"

7. Open the sd.xml file on the management host using an XML editor.
8. Set the SD_SDK_TRANSPORT parameter to TCPIPv4SSL (SSL driver on TCP/IPv.4).
9. Set the SD_SDK_TRANSPORT_ARG parameter to $EGO_DEFAULT_TS_PARAMS.
10. Set SSM_SDK_TRANSPORT parameter to TCPIPv4SSL (SSL driver on TCP/IPv.4).
11. Set SSM_SDK_TRANSPORT_ARG parameter to $EGO_DEFAULT_TS_PARAMS.
12. Set the SDK_TRANSPORT parameter to TCPIPv4SSL (SSL driver on TCP/IPv.4).
13. Set SDK_TRANSPORT_ARG to $EGO_CLIENT_TS_PARAMS.

14. For the Platform Symphony 6.1.1 security patch, to enable SSL connection between SSM and SIM, the format for SSM_SDK_TRANSPORT_ARG parameter is the same as EGO_DEFAULT_TS_PARAMS while the format for SDK_TRANSPORT_ARG parameter is the same as EGO_CLIENT_TS_PARAMS.

15. For the Platform Symphony 6.1.1 security patch, to configure application data integrity and privacy, set the value of client side environment variable SOAM_SET_CIPHER_SECURE_DDT to RC4-MD5 or RC4-SHA.