IBM Support

Security Bulletin : IBM Websphere Message Broker and IBM Integration Bus are affected by SSLv3 Vulnerability (CVE-2014-3566 and CVE-ID: CVE-2014-3568)

Security Bulletin


Summary

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in IBM WebSphere Message Broker and IBM Integration Bus.

Vulnerability Details

CVEID: CVE-2014-3566
DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-3568
Description: OpenSSL could allow a remote attacker bypass security restrictions. When configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.
CVSS Base Score: 2.6
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/97037 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVE-2014-3568 applies to the DataDirect Drivers shipped with WebSphere Message Broker and IBM Integration Bus. This only affects users of DataDirect ODBC SSL connectivity.

Affected Products and Versions

IBM Websphere Message Broker V7.0 and V8.0

IBM Integration Bus V9.0

IBM WebSphere Message Broker Hypervisor Edition V8.0

IBM Integration Bus Hypervisor Edition V9.0

IBM SOA Policy pattern for Red Hat Enterprise Linux Server

Remediation/Fixes

A fix is available for users of the DataDirect Drivers (ODBC SSL connectivity) shipped with WebSphere Message Broker 8.0 and IBM Integration Bus 9.0

Product VRMF APAR Remediation/Fix
IBM Integration Bus V9.0.0.0-
9.0.0.3
IT07249 An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=IT07249

The APAR is targeted to be available in fix pack 9.0.0.4
WebSphere Message Broker
V8.0.0.2 -
8.0.0.5
IT07249 An interim fix is available from IBM Fix Central for all platforms.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT07249

The APAR is targeted to be available in fix pack 8.0.0.6.


The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?rs=849&uid=swg27006308

Workarounds and Mitigations


WebSphere Message Broker and IBM Integration Bus

The full list of acceptable protocols and their meaning are http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/protocols.html

SSLv3 users MUST disable SSLv3 on WebSphere Message Broker and IBM Integration Bus servers and clients and switch to using the TLS protocol. The instructions on how to set up Message Broker and Integration Bus to use TLS instead of SSLv3 are given as URLs to the IBM Knowledge Center for IBM Integration Bus V9.0. The instructions are valid for all the versions of the product currently in service.

The inbound connections


Inbound HTTP connections using the broker-wide listener:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12234_.htm
mqsichangeproperties broker_name -b httplistener -o HTTPSConnector -n sslProtocol -v TLS

Inbound HTTP connections using the integration server listener will by default use TLS. If however it has been modified to match the broker-wide listener, use these instructions to make the necessary changes to use TLS:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12234_.htm
mqsichangeproperties broker_name -e integration_server_name -o HTTPSConnector -n sslProtocol -v TLS

Inbound SOAP connections using the broker-wide listener:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12234_.htm
mqsichangeproperties broker_name -b httplistener -o HTTPSConnector -n sslProtocol -v TLS

Inbound SOAP connections using the integration server listener will by default use TLS. If however it has been modified to match the broker-wide listener, use these instructions to make the necessary changes to use TLS:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12234_.htm
mqsichangeproperties broker_name -e integration_server_name -o HTTPSConnector -n sslProtocol -v TLS

TCPIP Server inbound:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/bp34105_.htm
mqsichangeproperties broker_name -c TCPIPServer -o myTCPIPServerService -n SSLProtocol  -v TLS

WebAdmin inbound:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/bj23620_.htm
mqsichangeproperties broker_name -b webadmin -o HTTPSConnector -n sslProtocol -v TLS


The outbound connections
Once servers are changed to use TLS in favour of SSLv3 you will need to update outbound settings in WebSphere Message Broker and IBM Integration Bus using the following commands. In all of the following instructions, TLS can be substituted for SSL_TLS or SSL_TLSv2 if needed (e.g. to support fallback to SSLv3 in a transition period whilst the servers are being updated to use TLS). For making this change in the toolkit APAR IT04685 is required. Please contact IBM support.

For HTTP connections
Basic instructions: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12235_.htm
In the SSL tab of the Request node(s) select TLS for the Protocol.

For SOAP connections that have been modified to use the non-default SSLv3 protocol
Basic instructions: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap34022_.htm
In the SSL tab of the Request node(s) select TLS for the Protocol.

TCPIP Client:
General information: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/bp34100_.htm
mqsichangeproperties broker_name -c TCPIPClient -o myTCPIPClientService -n SSLProtocol -v TLS

JMS Nodes:
Some general information here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap12237_.htm
Follow instructions as provided by your JMS Provider.

CICS Nodes:
General instructions here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/bc16170_.htm?cp=SSMKHH_9.0.0%2F1-14-2-1-5-5
The CICS nodes use TLS by default, so no change needed.

Security providers:

WSTrust:
set the environment variable MQSI_STS_SSL_PROTOCOL to "TLS"

TFIM:
set the environment variable MQSI_TFIM_SSL_PROTOCOL to "TLS"

ODBC (DataDirect) OpenSSL as configured in odbc.ini:

The ODBC Oracle Wire Protocol driver allows for the EncryptionMethod connect option to be set to a value of 5, which means only use TLS1 or higher.  Setting EncryptionMethod=5 for the Oracle Wire Protocol driver will avoid POODLE.  This functionality has been available since the 6.1 version of the Oracle WP driver. The providers of DataDirect drivers are working on similar functionality to all other ODBC drivers that support SSL and upgrading the version of OpenSSL used within the drivers to pickup the enhancement to SSL negotiation.

The client-based ODBC drivers (DB2 Client and Informix Client) rely on the SSL implementation within the Database’s client libraries.  Please see the documentation for your client libraries to learn about possible exposure to POODLE.


IBM recommends that you review your entire environment to identify other areas that enable SSLv3 protocol and take appropriate mitigation (such as disabling SSLv3) and remediation actions

WebSphere Message Broker v8 HVE, IBM Integration Bus V9 HVE and IBM SOA Policy pattern for Red Hat Enterprise Linux Server
IBM recommends that you review your entire environment to identify vulnerable releases of SSLv3 including your Operating Systems and take appropriate mitigation and remediation actions. Please contact your Operating System provider for more information.

Get Notified about Future Security Bulletins

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

23 Oct 2014 - Original version Published
30 Oct 2014 - Added OpenSSL Security Vulnerability (CVE-2014-3568)
23 Mar 2015- Fix for DataDirect Driver users
16 April 2015- Changed wording to 'MUST disable SSLv3'
23 Sep 2015- Revised expiry date

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related information

A Japanese translation is available

Cross reference information
Segment Product Component Platform Version Edition
Business Integration IBM Integration Bus Web User Interface AIX, HP-UX, Linux, Solaris, Windows 9.0
Business Integration IBM Integration Bus Hypervisor Edition
Business Integration IBM SOA Policy Pattern
Business Integration WebSphere Message Broker Hypervisor Edition

Product Alias/Synonym

WMB IIB

Document information

More support for: WebSphere Message Broker
Security

Software version: 7.0, 8.0

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1687678

Modified date: 16 April 2015