IBM Support

Security Bulletin: TLS padding vulnerability affects IBM Rational RequisitePro (CVE-2014-8730)

Security Bulletin


Summary

Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM Rational RequisitePro.

Vulnerability Details

CVE-ID: CVE-2014-8730

Description: IBM Rational RequisitePro could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections.

CVSS Base Score:
4.3
CVSS Temporal Score:
See https://exchange.xforce.ibmcloud.com/vulnerabilities/99216 for the current score
CVSS Environmental Score*:
Undefined
CVSS Vector:
(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

The vulnerable component is used when ReqPro is configured to use LDAP authentication over SSL (https).

LDAP authentication may be used by the desktop client directly, or by a ReqWeb Server.

ReqPro Desktop Client or ReqWeb Server VersionStatus
7.1.4.xAffected if you use LDAP authentication over SSL
7.1.3.5 or higherAffected if you use LDAP authentication over SSL
7.1.2.9 or higherAffected if you use LDAP authentication over SSL
7.1.3.0 through 7.1.3.4; 7.1.2.0 through 7.1.2.8; 7.0.x, 7.1.0.x, 7.1.1.xNot affected

The vulnerable component is also used by ReqWeb server when supporting SSL connections with IBM HTTP Server.

ReqWeb Server VersionStatus of IHS vulnerability
7.1.4.xAffected if you use SSL
7.1.3.xAffected if you use SSL
7.1.2.xAffected if you use SSL
7.1.1.xAffected if you use SSL
7.1.0.xAffected if you use SSL

Remediation/Fixes

This is a partial remediation for the ReqWeb Server part of the vulnerability. Apply these fixes, and also apply the mitigations described below.

If you use ReqWeb Server, apply the fixes listed in Security Bulletin: TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730). To install a fixpack or interim fix for IHS as referenced in that bulletin, follow the guidance in this table:

ReqPro Affected VersionApplying an IHS fix
7.1.3.x, 7.1.4.xInstall the IHS fixes to your installation, following the instructions from the IHS security bulletin. (IHS is installed and maintained separately from ReqPro 7.1.3.x and 7.1.4.x.)
7.1.0.x
7.1.1.x
7.1.2.x
Document 1390803 explains how to update IHS for ClearCase CM Servers at release 7.1.x, however the same instructions apply for ReqPro 7.1.0.x, 7.1.1.x and 7.1.2.x

Install the IHS fixes listed in the IHS security bulletin referenced above.

Workarounds and Mitigations

Procedure:

1. For vulnerable installations using LDAP over SSL, install a fix pack with support for the workaround

For this mitigation to be effective, you must be running a ReqPro fix pack that supports the environment variable. This is necessary on desktop clients using LDAP authentication over SSL, and, similarly, on ReqWeb servers that are configured to authenticate via LDAP through SSL connections.

ReqPro releaseFix packs supporting the environment variable
7.1.47.1.4.1 or later
7.1.37.1.3.8 or later
7.1.27.1.2.13 or later

2. Set an environment variable to avoid the vulnerability (Windows clients and servers)

To avoid the vulnerability, you must set the environment variable GSK_STRICTCHECK_CBCPADBYTES to GSK_TRUE. You need to do this for desktop clients using LDAP over SSL and for the ReqWeb server.

ReqPro componentSetting the EV
Desktop clientSet the environment variable as a user or system environment variable.
ReqWeb serverSet the environment variable in the WAS profile for your server. Follow the instructions for setting such variables in technote 1254153.

You should verify applying this configuration change does not cause any compatibility issues.

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

* 21 January 2015: Updated to refer to published IHS fixes
* 09 January 2015: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSSHCT","label":"Rational RequisitePro"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.1.1;7.1.1.1;7.1.1.2;7.1.1.3;7.1.1.4;7.1.1.5;7.1.1.6;7.1.1.7;7.1.1.8;7.1.1.9;7.1.2;7.1.2.1;7.1.2.10;7.1.2.11;7.1.2.12;7.1.2.13;7.1.2.14;7.1.2.15;7.1.2.16;7.1.2.2;7.1.2.3;7.1.2.4;7.1.2.5;7.1.2.6;7.1.2.7;7.1.2.8;7.1.2.9;7.1.3;7.1.3.1;7.1.3.10;7.1.3.11;7.1.3.12;7.1.3.13;7.1.3.2;7.1.3.3;7.1.3.4;7.1.3.5;7.1.3.6;7.1.3.7;7.1.3.8;7.1.3.9;7.1.4;7.1.4.1;7.1.4.2;7.1.4.3;7.1.4.4;7.1.4.5;7.1.4.6","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21693623