IBM Support

Security Bulletin: Vulnerability in SSLv3 affects IBM HTTP Server (CVE-2014-3566)

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in the Apache based IBM HTTP Server.

Vulnerability Details

CVE ID: CVE-2014-3566
DESCRIPTION:
IBM HTTP Server could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects all versions and releases of IBM HTTP Server (IHS) component in all editions of WebSphere Application Server and bundling products.

Remediation/Fixes

There is no separate interim fix for the PI27904 APAR that is associated with this issue, but the interim fix for APAR PI31516 (TLS Padding Vulnerability CVE-2014-8730) includes the update for APAR PI27904. APAR PI27904 update disables SSLv3 by default for IHS 7.0 and newer, and adds the 'SSLProtocolEnable' directive into IHS 7.0.

The update for PI27904 will be included in fix packs 7.0.0.37, 8.0.0.10 and 8.5.5.4.

Workarounds and Mitigations

For all releases and versions of Apache based IBM HTTP Server, IBM recommends disabling SSLv3:


Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains "SSLEnable":

# Disable SSLv3 for CVE-2014-3566
# SSLv2 is disabled in V8R0 and later by default, and in typical V7
# and earlier configurations disabled implicitly when SSLv3 ciphers
# are configured with SSLCipherSpec.
SSLProtocolDisable SSLv3 SSLv2

Stop and restart IHS for the changes to take affect.

Note:

  • If you start IHS with the -f command line argument, or you use the "Include" directive to include alternate configuration files, you may need to search those filenames for SSLEnable.
  • If you configure SSL with SSLEnable in the global (non-virtualhost) scope, you will need to move SSLEnable into a virtualhost scope to add SSLProtocolDisable

IBM recommends that you review your entire environment to identify other areas that enable SSLv3 protocol and take appropriate mitigation (such as disabling SSLv3) and remediation actions.

Get Notified about Future Security Bulletins

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

15 October 2014: original document published
03 November 2014: added extra notes
02 December 2014: added link to reference section
28 January 2015: added links to CVE-2014-8730

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM HTTP Server
SSL

Software version: 6.1, 7.0, 8.0, 8.5, 8.5.5

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS

Software edition: All Editions

Reference #: 1687172

Modified date: 20 October 2014


Translate this page: