SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in the Apache based IBM HTTP Server.
CVE ID: CVE-2014-3566**
DESCRIPTION: **IBM HTTP Server could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
This vulnerability affects all versions and releases of IBM HTTP Server (IHS) component in all editions of WebSphere Application Server and bundling products.
There is no separate interim fix for the PI27904 APAR that is associated with this issue, but the interim fix for APAR PI31516 (TLS Padding Vulnerability CVE-2014-8730) includes the update for APAR PI27904. APAR PI27904 update disables SSLv3 by default for IHS 7.0 and newer, and adds the ‘SSLProtocolEnable’ directive into IHS 7.0.
The update for PI27904 will be included in fix packs 7.0.0.37, 8.0.0.10 and 8.5.5.4.
For all releases and versions of Apache based IBM HTTP Server, IBM recommends disabling SSLv3:
Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains “SSLEnable”:
SSLProtocolDisable SSLv3 SSLv2
Stop and restart IHS for the changes to take affect.
Note:
IBM recommends that you review your entire environment to identify other areas that enable SSLv3 protocol and take appropriate mitigation (such as disabling SSLv3) and remediation actions.
Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
Complete CVSS v2 Guide
On-line Calculator v2
Off
HTTPS advisor fails when SSLv3 is disabled on backend servers
TLS Padding vulnerability CVE-2014-8730
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
15 October 2014: original document published
03 November 2014: added extra notes
02 December 2014: added link to reference section
28 January 2015: added links to CVE-2014-8730
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
[{“Product”:{“code”:“SSEQTJ”,“label”:“IBM HTTP Server”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“SSL”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF035”,“label”:“z/OS”}],“Version”:“8.5.5;8.5;8.0;7.0;6.1”,“Edition”:“All Editions”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]