Security Bulletin: TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730)
Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM HTTP Server.
IBM HTTP Server could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plain text of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
This vulnerability affects all versions and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.
- Version 8.5.5
- Version 8.5
- Version 7.0
- Version 6.1
- Version 6.0
The recommended solutions is to apply the interim fix, Fix Pack or PTF containing APAR PI31516 for each named product as soon as practical. APAR PI31516 enables the strict CBC padding by default. The PI31516 interim fix for IBM HTTP Server (IHS) 7.0 and newer also includes the update for PI27904 (SSLV3 vulnerability CVE-2014-3566) which disables SSLv3 by default.
For affected IBM HTTP Server for WebSphere Application Server:
For V22.214.171.124 through 126.96.36.199 Full Profile:
· Upgrade to a minimum of Fix Pack 188.8.131.52 or later then apply Interim Fix PI31516
· Apply Fix Pack 184.108.40.206 or later.
For V8.0 through 220.127.116.11:
· Upgrade to a minimum of Fix Pack 18.104.22.168 or later and then apply Interim Fix PI31516
· Apply Fix Pack 22.214.171.124 or later.
For V126.96.36.199 through 188.8.131.52:
· Upgrade to a minimum of Fix Pack 184.108.40.206 or later and then apply Interim Fix PI31516
· Apply Fix Pack 220.127.116.11 or later.
For V18.104.22.168 through 22.214.171.124:
· Upgrade to Fix Pack 126.96.36.199 and then apply Interim Fix PI31516
Workarounds and Mitigations
For all versions and releases of Apache based IBM HTTP server, IBM recommends enabling strict CBC padding enforcement. Add the following directive to the httpd.conf file, for each context that contains "SSLEnable", to enable strict CBC padding enforcement.
# Enable strict CBC padding
SSLAttributeSet 471 1
* Maintenance levels: 188.8.131.52, 184.108.40.206, 220.127.116.11 or later
* Any older fixpack/release with any one of the following interim fixes applied: PI05309, PI08502, PI09443, PI13422, PI19700, PI26894
Stop and restart IHS for the changes to take affect.
If you start IHS with the -f command line argument, or you use the "Include" directive to include alternate configuration files, you may need to search those filenames for SSLEnable.
If you configure SSL with SSLEnable in the global (non-virtualhost) scope, you will need to move SSLEnable into a virtualhost scope to add SSLAttributeSet
You should verify applying this configuration change does not cause any compatibility issues.
Get Notified about Future Security Bulletins
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
ReferencesComplete CVSS v2 Guide
On-line Calculator v2
Related informationIBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
10 December 2014: original version published
16 January 2015: Ifixes available to change the default
28 January 2015: add links back to CVE-2014-3566
5 February 2015: added minimum levels
1 June 2015: clarified wording for version 6.0.2 to contact IBM support
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
More support for:
IBM HTTP Server
Software version: 6.0.2, 6.1, 7.0, 8.0, 8.5, 8.5.5
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows
Reference #: 1692502
Modified date: 01 June 2015