Security Bulletin: Vulnerability in SSLv3 affects IBM HTTP Server (CVE-2014-3566)
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in the Apache based IBM HTTP Server.
CVE ID: CVE-2014-3566
DESCRIPTION: IBM HTTP Server could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
This vulnerability affects all versions and releases of IBM HTTP Server (IHS) component in all editions of WebSphere Application Server and bundling products.
There is no separate interim fix for the PI27904 APAR that is associated with this issue, but the interim fix for APAR PI31516 (TLS Padding Vulnerability CVE-2014-8730) includes the update for APAR PI27904. APAR PI27904 update disables SSLv3 by default for IHS 7.0 and newer, and adds the 'SSLProtocolEnable' directive into IHS 7.0.
The update for PI27904 will be included in fix packs 22.214.171.124, 126.96.36.199 and 188.8.131.52.
Workarounds and Mitigations
For all releases and versions of Apache based IBM HTTP Server, IBM recommends disabling SSLv3:
Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains "SSLEnable":
# Disable SSLv3 for CVE-2014-3566
# SSLv2 is disabled in V8R0 and later by default, and in typical V7
# and earlier configurations disabled implicitly when SSLv3 ciphers
# are configured with SSLCipherSpec.
SSLProtocolDisable SSLv3 SSLv2
Stop and restart IHS for the changes to take affect.
- If you start IHS with the -f command line argument, or you use the "Include" directive to include alternate configuration files, you may need to search those filenames for SSLEnable.
- If you configure SSL with SSLEnable in the global (non-virtualhost) scope, you will need to move SSLEnable into a virtualhost scope to add SSLProtocolDisable
IBM recommends that you review your entire environment to identify other areas that enable SSLv3 protocol and take appropriate mitigation (such as disabling SSLv3) and remediation actions.
Get Notified about Future Security Bulletins
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
ReferencesComplete CVSS v2 Guide
On-line Calculator v2
Related informationIBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
15 October 2014: original document published
03 November 2014: added extra notes
02 December 2014: added link to reference section
28 January 2015: added links to CVE-2014-8730
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
More support for:
IBM HTTP Server
Software version: 6.1, 7.0, 8.0, 8.5, 8.5.5
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS
Software edition: All Editions
Reference #: 1687172
Modified date: 20 October 2014