Security Bulletin
Summary
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM UrbanCode Deploy.
Vulnerability Details
Subscribe to My Notifications to be notified of important product support alerts like this.
|
CVE-ID: CVE-2014-3566
Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM UrbanCode Deploy 6.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4, 6.0.1.5, 6.0.1.6, 6.1, 6.1.0.1, 6.1.0.2, and 6.1.0.3 on all supported platforms.
Remediation/Fixes
Upgrade to one of the following releases as SSLv3 is automatically disabled:
- IBM UrbanCode Deploy Fix Pack 4 (6.1.0.4) for 6.1
- IBM UrbanCode Deploy Fix Pack 7 (6.0.1.7) for 6.0.1
Note: Old agents may not be able to connect to IBM UrbanCode Deploy without SSLv3 enabled; therefore, UrbanCode Deploy will dynamically enable SSLv3 if there are any undeleted agents with version 6.0.1.0.491104 or lower. If this scenario is detected, a warning message will be output during server startup.
You may disable SSLv3 in one of the following ways:
- Upgrade all old agents to the latest version.
- Put the following property in the server's conf/server/installed.properties file (Please note that doing this may cause some agents to no longer be able to connect to the server):
com.urbancode.ds.UDeployServer.forceNoSSLv3=true
- To force SSLv3 to never be enabled on the relay, regardless of the protocols available on the server:
com.urbancode.air.agentrelay.AgentRelay.forceNoSSLv3=true
- To configure the relay to enable SSLv3 if the target server cannot be reached during startup:
com.urbancode.air.agentrelay.AgentRelay.failOpenSSLv3=true
Workarounds and Mitigations
- Note: This mitigation is intended for the servers in "Affected Products and Versions" only. It should not be applied on later releases. Additionally, IBM UrbanCode Deploy Agents with version 6.0.1.0.491104 and earlier may be unable to connect after applying this changes. It is highly recommended to address this issue by upgrading the IBM UrbanCode Deploy server to 6.1.0.4 or 6.0.1.7, and then upgrade all agents.
- Open the file <server_install_dir>/conf/server/activemq.xml in a text editor
- At the bottom of the file, find the element called <transportConnector /> nested within the element named <transportConnectors />.
- Edit this element's uri attribute.
Follow the following instructions exactly, do not add any extra characters or whitespace.
- If the uri attribute looks like this:
uri="ah3://${server.host}:${server.jms.port}?transport.enabledProtocols=SSL,SSLv3,TLS,TLSv1,TLSv1.1,TLSv1.2,SSL_TLSv2&transport.enabledCipherSuites=${server.ssl.enabledCiphers}"
Alter the attribute to reflect the changes in bold:
uri="ah3://${server.host}:${server.jms.port}?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.enabledCipherSuites=${server.ssl.enabledCiphers}"
- If the uri attribute looks like this:
uri="ah3://${server.host}:${server.jms.port}"
Alter the attribute to reflect the changes in bold:
uri="ah3://${server.host}:${server.jms.port}?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2" - Open the file <server_install_dir>/opt/tomcat/conf/server.xml in a text editor
- Find the XML element that begins with <Connector port="${install.server.web.https.port}"
- Update the following attributes within this XML element.
Do not add any extra characters or whitespace. If the attribute does not exist, then create it.
- For UrbanCode Deploy versions 6.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4, 6.0.1.5, 6.1.0.0, and 6.1.0.1:
sslProtocol="TLS"
protocols="TLSv1,TLSv1.1,TLSv1.2"
- For UrbanCode Deploy version 6.0.1.6, 6.1.0.2, and 6.1.0.3:
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" - On the agent relay, open the file <agentrelay_install_dir>/conf/jms-relay/activemq.xml in a text editor
- At the bottom of the file, find the element called <transportConnector />, nested within the element named <transportConnectors />
- Edit this elements "uri" attribute.
Follow the instructions exactly, do not add any extra characters or whitespace. - If the uri attribute looks like this:
uri="ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}"
Append the following text (in bold) to the attribute:
uri="ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"
- If the uri attribute looks like this:
uri="ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}?transport.enabledProtocols=SSL,SSLv3,TLS,TLSv1,TLSv1.1,TLSv1.2,SSL_TLSv2"
Alter the text to reflect the change in bold:
uri="ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"
Mitigating POODLE attacks on agent communication (by default, communication on port 7918):
Mitigating POODLE attacks on HTTP communication (by default, communication on port 8443)
Mitigating POODLE attacks on JMS communication on agent relays (by default, communication on port 7916):
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
* 04 November 2014: Updated with details on the 6.0.1.7 and 6.1.0.4 fixpacks
* 21 October 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
PSIRT # 2290 Record # 45076
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21687375