IBM Support

Security Bulletin: Vulnerability in SSLv3 affects IBM UrbanCode Deploy (CVE-2014-3566)

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in IBM UrbanCode Deploy.

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

CVE-ID: CVE-2014-3566

Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM UrbanCode Deploy 6.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4, 6.0.1.5, 6.0.1.6, 6.1, 6.1.0.1, 6.1.0.2, and 6.1.0.3 on all supported platforms.

Remediation/Fixes

Upgrade to one of the following releases as SSLv3 is automatically disabled:



Note: Old agents may not be able to connect to IBM UrbanCode Deploy without SSLv3 enabled; therefore, UrbanCode Deploy will dynamically enable SSLv3 if there are any undeleted agents with version 6.0.1.0.491104 or lower. If this scenario is detected, a warning message will be output during server startup.
You may disable SSLv3 in one of the following ways:
  • Upgrade all old agents to the latest version.

  • Put the following property in the server's conf/server/installed.properties file (Please note that doing this may cause some agents to no longer be able to connect to the server):

    com.urbancode.ds.UDeployServer.forceNoSSLv3=true
Agent relays must also be upgraded. Upgraded agent relays will enable SSLv3 during startup if it detects SSLv3 on the target UrbanCode Deploy server. In the case that the target server is not reachable at the time the relay is started, the relay will default to disabling SSLv3. The following properties may be placed in conf/agentrelay.properties to alter this behavior:
  • To force SSLv3 to never be enabled on the relay, regardless of the protocols available on the server:

    com.urbancode.air.agentrelay.AgentRelay.forceNoSSLv3=true

  • To configure the relay to enable SSLv3 if the target server cannot be reached during startup:

    com.urbancode.air.agentrelay.AgentRelay.failOpenSSLv3=true

Workarounds and Mitigations

Note: This mitigation is intended for the servers in "Affected Products and Versions" only. It should not be applied on later releases. Additionally, IBM UrbanCode Deploy Agents with version 6.0.1.0.491104 and earlier may be unable to connect after applying this changes. It is highly recommended to address this issue by upgrading the IBM UrbanCode Deploy server to 6.1.0.4 or 6.0.1.7, and then upgrade all agents.

Mitigating POODLE attacks on agent communication (by default, communication on port 7918):

  1. Open the file <server_install_dir>/conf/server/activemq.xml in a text editor

  2. At the bottom of the file, find the element called <transportConnector /> nested within the element named <transportConnectors />.

  3. Edit this element's uri attribute.

    Follow the following instructions exactly, do not add any extra characters or whitespace.
    1. If the uri attribute looks like this:

      uri="ah3://${server.host}:${server.jms.port}?transport.enabledProtocols=SSL,SSLv3,TLS,TLSv1,TLSv1.1,TLSv1.2,SSL_TLSv2&amp;transport.enabledCipherSuites=${server.ssl.enabledCiphers}"

      Alter the attribute to reflect the changes in bold:

      uri="ah3://${server.host}:${server.jms.port}?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;transport.enabledCipherSuites=${server.ssl.enabledCiphers}"

    2. If the uri attribute looks like this:

      uri="ah3://${server.host}:${server.jms.port}"

      Alter the attribute to reflect the changes in bold:

      uri="ah3://${server.host}:${server.jms.port}?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"


Mitigating POODLE attacks on HTTP communication (by default, communication on port 8443)
  1. Open the file <server_install_dir>/opt/tomcat/conf/server.xml in a text editor

  2. Find the XML element that begins with <Connector port="${install.server.web.https.port}"

  3. Update the following attributes within this XML element.

    Do not add any extra characters or whitespace. If the attribute does not exist, then create it.

    1. For UrbanCode Deploy versions 6.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4, 6.0.1.5, 6.1.0.0, and 6.1.0.1:

      sslProtocol="TLS"
         protocols="TLSv1,TLSv1.1,TLSv1.2"


    2. For UrbanCode Deploy version 6.0.1.6, 6.1.0.2, and 6.1.0.3:

      sslProtocol="TLS"
         sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"


Mitigating POODLE attacks on JMS communication on agent relays (by default, communication on port 7916):
  1. On the agent relay, open the file <agentrelay_install_dir>/conf/jms-relay/activemq.xml in a text editor

  2. At the bottom of the file, find the element called <transportConnector />, nested within the element named <transportConnectors />

  3. Edit this elements "uri" attribute.

    Follow the instructions exactly, do not add any extra characters or whitespace.
    1. If the uri attribute looks like this:

      uri="ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}"

      Append the following text (in bold) to the attribute:

      uri="ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"
    2. If the uri attribute looks like this:

      uri="ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}?transport.enabledProtocols=SSL,SSLv3,TLS,TLSv1,TLSv1.1,TLSv1.2,SSL_TLSv2"

      Alter the text to reflect the change in bold:

      uri="ah3://${agentrelay.jms_proxy.relay_host}:${agentrelay.jms_proxy.relay_port}?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

* 04 November 2014: Updated with details on the 6.0.1.7 and 6.1.0.4 fixpacks
* 21 October 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Attachments

All source code and/or binaries attached to this document are referred to here as "the Program". IBM is not providing program services of any kind for the Program. IBM is providing the Program on an "AS IS" basis without warranty of any kind. IBM WILL NOT BE LIABLE FOR ANY ACTUAL, DIRECT, SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), EVEN IF IBM, OR ITS RESELLER, HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.


Document information

More support for: IBM UrbanCode Deploy
Security

Software version: 6.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.1.3, 6.0.1.4, 6.0.1.5, 6.0.1.6, 6.1, 6.1.0.1, 6.1.0.2, 6.1.0.3

Operating system(s): AIX, Linux, Windows

Reference #: 1687375

Modified date: 04 November 2014