« previous next »
Pages: [1]

Author Topic: SECURITY BULLETIN: GSKit vulnerable to POODLE attack  (Read 2508 times)

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2231
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
SECURITY BULLETIN: GSKit vulnerable to POODLE attack
« on: December 17, 2014, 07:11:43 PM »
Link to the IBM Bulletin:

http://www-01.ibm.com/support/docview.wss?uid=swg21693181&myns=swgimgmt&mynp=OCSSEPCD&mync=E&cm_sp=swgimgmt-_-OCSSEPCD-_-E

Text of the Bulletin:

Summary

Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects Content Manager OnDemand for Multiplatforms
Vulnerability Details

CVE-ID: CVE-2014-8730

DESCRIPTION:

Product could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions

IBM Content Manager OnDemand for Multiplatforms V8.5, V9.0, and V9.5
Remediation/Fixes

None
Workarounds and Mitigations

You should verify applying this configuration change does not cause any compatibility issues.

Instructions:

1.) Upgrade to the GSKit to version 9.0.14.25 or newer. Contact IBM Content Manager OnDemand Level 2 to obtain newer versions of the GSKit.

2.) Set the environment variable GSK_STRICTCHECK_CBCPADBYTES for the Library Server:

a.) For a Content Manager OnDemand for Multiplatforms Library Server on Unix or Linux
- Add the environment variable GSK_STRICTCHECK_CBCPADBYTES=1 and export it.
- Restart the Content Manager OnDemand Server with that environment variable set.

b) For a Content Manager OnDemand for Multiplatforms Library Server on Windows:
- Create a new system environment variable GSK_STRICTCHECK_CBCPADBYTES=1 using System Properties/Advanced/Environment Variables


- Restart the CMOD Server.


---- End

It appears that you'll only be vulnerable to this attack on SSL/TLS if your CMOD server is configured to enable SSL support.

-JD.
Logged
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2231
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: SECURITY BULLETIN: GSKit vulnerable to POODLE attack
« Reply #1 on: March 05, 2015, 08:53:12 AM »
Latest versions of the GSKit can be downloaded here (as of March 2015):

http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Global+Security+Kit&release=All&platform=All&function=all

On the left hand side, choose your Platform, and under "Applies To", scroll to the bottom for the latest version number.

-JD.
Logged
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR
Pages: [1]
« previous next »