IBM Support

Security Bulletin: Vulnerability in SSLv3 affects Sametime (CVE-2014-3566)

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 may be enabled in Sametime. Mitigation configuration steps are provided.

Vulnerability Details

CVE-ID: CVE-2014-3566
DESCRIPTION:

Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Sametime 8.5.x (including Entry, Standard, and Advanced)
Sametime 9.x (including Communicate, Conference, and Complete)

Remediation/Fixes

None

Workarounds and Mitigations

Change history (after originally published 30 October 2014):

    6 February 2015: Updated version with some fixes published
    26 February 2015: Updated instructions for Sametime Community fix for 9
    5 March 2015: Updated Sametime Community fix for 9 with Jar replacement option
    11 March 2015: Update due to changes in WAS security bulletin; added "Please Note" paragraph under the WAS security bulletin link

==============================================

IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation and remediation actions. The most immediate mitigation action that can be taken is disabling SSLv3. You should verify disabling SSLv3 does not cause any compatibility issues.

For the following bulleted components please use the following security bulletin from WebSphere in order to prevent the usage of SSL v3 by the server:

"Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)" (#1687173)

PLEASE NOTE: The previous manual configuration instructions were removed from the WebSphere security bulletin. Please apply only Interim Fix PI28439 for Sametime 8.5.2.1. Please apply only Interim Fix PI28437 for Sametime 9.

  • Sametime Meetings Server
  • Sametime Advanced Server
  • Sametime Gateway
  • Sametime Proxy and the Sametime Web Chat client
  • Sametime VMGR
  • Sametime SIP Proxy Registrar
  • Sametime System Console  

Other Sametime components are not affected by the POODLE attack by default.

For the community server, if TLS was enabled for chat, e.g. in ST 9 HF1, and SSL v3 was explicitly enabled, it should be turned off. Please see the wiki article, " Security Considerations for TLS Configuration" for details. Note that TLS for chat is not provided for IBM i.

In addition to the configuration above, additional fixes are provided. These fixes are provided due to the following issues:
  • Issue #1: In Media servers SSL v3 was still enabled for backend server-to-server connections.
  • Issue #2: After making the POODLE security change on SSC as described in this bulletin, the installers for Sametime products (Advanced, Meetings, Media, Proxy, and Community Servers) are not able to connect to the SSC server and policies are not getting synched from the SSC into the Community Server.The following fixes are provided due to the following issues related to POODLE:

P lease note:
  • If you apply a Poodle patch to one Sametime component, you must apply it to all Sametime components.
  • If the Domino server that the Sametime Community server runs on has been patched with any of the Domino patches below (at the Domino server level), the poodle patch must be applied to all Sametime components:

     
Version 9
Component
Fix
Installation instructions
Any WAS based components See instructions in the link.
Sametime System Console Please update the Sametime System Console first.

Download the zip file from the provided Fix link.

Update SSC server (via Installation Manager) with this zip file.

NOTE: Please be aware that custom virtual hosts may be reset back to default after the Sametime application is updated or patched. For best results, document the virtual hosts prior to any upgrade and double-check and reset if needed post upgrading.
Sametime Community Server
New install only (not for an upgrade)

New Install Fix Link


Upgrade:

Upgrade Fix Link
Two different options are provided. A full installer that should be used only for new installation of the community server due to an issue with this installer when it is used for an upgrade.

The other fix is a Jar replacement fix that should be done based on the following instructions:
  1. Copy the 2 provided jars consoleDepClient14.jar & http.api.jar to CS in this location
    1. Windows: C:\Program Files (x86)\IBM\Lotus\Domino\console
    2. Unix: ../domino/data/console

    1. Connect CS to SSC with SSCSSLEnabled=true set in console.properties which is located in the path above
    2. Restart STPolicy service and verify that policy is still being updated
Sametime Meetings Server Follow the online documented instructions, "Best Practices to ensure a smooth upgrade to Sametime":
http://www-01.ibm.com/support/docview.wss?uid=swg21579523

NOTE: Please be aware that custom virtual hosts may be reset back to default after the Sametime application is updated or patched. For best results, document the virtual hosts prior to any upgrade and double-check and reset if needed post upgrading.
Sametime Proxy Server Prerequisite: The Sametime System Console must be at version 9.0. If not, you will see a failure message during the fix install noting an incorrect version level.

Installation Steps:
  1. Copy the file you downloaded onto the Sametime Proxy Server.
  2. Unzip the file on the server file system.
  3. Apply the fix by running the steps below on the Sametime Proxy Server:
    • Launch the Installation Manager
    • Select File > Preferences
    • Disable the automatic web update search to allow the installation to run successfully
    • Clear Search service repositories during installation and updates and click OK
    • Choose Add Repository
    • In the Browse field, enter location of the repository.config file unzipped earlier
      e.g. .../SametimeProxyServer/disk1/STProxy/respository.config
    • Select OK
    • In the main Installation Manager window, choose Update
    • Select the IBM Sametime Server Platform package group
    • Next
    • Enter the WebSphere wasadmin user credentials for the Sametime Proxy Server and then click Validate
    • Next
    • Enter the Sametime System Console server details, and WebSphere wasadmin credentials Next
    • Upgrade
  4. Follow the instructions on the screen until the installation completes

NOTE: If you are running a multi-node (cluster) configuration, then repeat these instructions on each node.

NOTE: Please be aware that custom virtual hosts may be reset back to default after the Sametime application is updated or patched. For best results, document the virtual hosts prior to any upgrade and double-check and reset if needed post upgrading.
Sametime Advanced Server Issues that are addressed by this fix:

Issue 1:
 When using HTTPS some client side cookies were being created without the secure flag. Some security scanning tools flag this as a potential issue.

Fix 1: Client side created cookies are set to secure if on HTTPS.

Issue 2: An Exception may occur when trying to retrieve the root folder.

Fix 2:
 We have fixed the exception that will now return the root folder object.

Issue 3:
 An Install issue occurred due to ssl v3 disabling.

Fix 3:
 This install issue is now fixed.

Installation Instructions:


Download the zip file from the provided Fix link.

Update Advanced server (via Installation Manager) with this zip file.

NOTE: Please be aware that custom virtual hosts may be reset back to default after the Sametime application is updated or patched. For best results, document the virtual hosts prior to any upgrade and double-check and reset if needed post upgrading.
Media Manager (VMCU) Download the fix file from the provided Fix link.

To install the this MCU build, run following commands:
  1. ./install.sh (For fresh install)
  2. ./upgrade.sh (For upgrade from previous version of the MCU)

Please make sure to also install the SSC fix mentioned in this table.

Please also refer to the following note from RedHat:
https://access.redhat.com/articles/904433
VMGR (SolidDB Fix) Note: Although the fix mentions "Media", the fix is only for the Video Manager.

Update the Sametime Video Manager:
  1. On the computer where you will update Sametime Video Manager, log on as root.
  2. Download this fix from IBM Fix Central to the computer where you will install the Video Manager, and extract the package.
  3. Open a command window and change to the location where you installed Installation Manager. The default location is: /opt/IBM/InstallationManager/eclipse.
  4. Start Installation Manager by running the following command: ./IBMIM
  5. Disable the automatic web update search to allow the installation to run successfully.
  6. Set the repository location by completing the following steps: 
    1. In the Installation Manager window, click File > Preferences.
    2. On the Preferences page, click Repositories.
    3. Add the repository for the Sametime Video Manager installation package: 
      1. On the Repositories page, click Add Repository.
      2. On the Add Repository page, click Browse.
      3. On the Select Repository page, browse to the location where you stored the extracted files for Sametime Video Manager, and open the IAV subdirectory.
      4. Click the repository.config file to select it, and then click Apply.
      5. Deselect any listed repositories that you will not use for installing the Sametime Video Manager.
    4. Click OK.
  7. Back in the main Installation Manager window, click Update.
  8. Select the IBM Sametime Server Platform package group, and click Next.
  9. On the Update Packages page, ensure that IBM Sametime Media Server 9.0.0.0 is selected, and click Next.
  10. On the License page, accept the license agreement and click Next.
  11. On the WebSphere Configuration page, provide the WebSphere administrator user name and password for the Sametime Video Manager that you are updating, and then click Validate.
  12. On the Sametime System Console Login page, supply the following values for connecting to the Sametime System Console, and then click Next:
    1. Host Name: Provide the fully qualified domain name for the Sametime System Console. The host name was determined when you installed the Sametime System Console. The host name must be the actual host name and not a DNS alias.
    2. Use SSL: Leave this option selected to run the server over a secure connection.
      HTTPS Port: Leave 9443 as the default value.
    3. User ID and Password: Provide the WebSphere Application Server user ID and password that you created when you installed the Sametime System Console.
  13. Review the summary, then click Upgrade to start the update. 
  14. When the update is complete, click Finish. 
  15. Click Exit to close Installation Manager.

Version 8.5.2.1
Component
Fix
Installation instructions
Any WAS based components See instructions in the link. Has to be installed before the SSC is patched.
Sametime System Console Please update the Sametime System Console first.

Download the zip file from the provided Fix link.

Update the SSC server using these instructions: "Installing Sametime 8.5.2 Interim Feature Release 1 on the Sametime System Console"

NOTE: Please be aware that custom virtual hosts may be reset back to default after the Sametime application is updated or patched. For best results, document the virtual hosts prior to any upgrade and double-check and reset if needed post upgrading.
Sametime Community Server Procedure
  1. Shut down the Domino server by issuing " ./ststart quit" from the data folder.
  2. Back up all binaries files including jar files under Sametime default binaries folder.
  3. Backup the entire Domino directory (this will include the sametime.ini)
  4. On the Sametime Community server, navigate to the directory where you copied and extracted the installation files.
  5. Run the setup program.
Verify the installation by the following steps:
  1. Restart Domino server
  2. Check that the latest sametime.log file contains several references to the Cumulative Fix build label: STS8.5.2.1_20141211.1500

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

30 October 2014: Original Version Published
6 February 2015: Updated version with some fixes published
26 February 2015: Updated instructions for community fix for 9
5 March 2015: Update community fix for 9 with Jar replacement option.
11 March 2015: Update due to changes in WAS seurity bulletin.
5 May 2015: Few fixes regarding IBM i and location of files in Unix.
2 July 2015; Small clarification regarding concole.properties location.
17 September 2015: Update of the Sametime Advanced fix due to an issue,
30 October 2015: Various edittorial changes for clarity
July 21 2016 - fixed 9.0.0.1 Proy fix link.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM Sametime

Software version: 8.5, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1, 9.0, 9.0.0.1

Operating system(s): AIX, IBM i, Linux, Windows

Reference #: 1687845

Modified date: 07 June 2016


Translate this page: