Link to the IBM Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21693181&myns=swgimgmt&mynp=OCSSEPCD&mync=E&cm_sp=swgimgmt-_-OCSSEPCD-_-EText of the Bulletin:
Summary
Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects Content Manager OnDemand for Multiplatforms
Vulnerability Details
CVE-ID: CVE-2014-8730
DESCRIPTION:
Product could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/99216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM Content Manager OnDemand for Multiplatforms V8.5, V9.0, and V9.5
Remediation/Fixes
None
Workarounds and Mitigations
You should verify applying this configuration change does not cause any compatibility issues.
Instructions:
1.) Upgrade to the GSKit to version 9.0.14.25 or newer. Contact IBM Content Manager OnDemand Level 2 to obtain newer versions of the GSKit.
2.) Set the environment variable GSK_STRICTCHECK_CBCPADBYTES for the Library Server:
a.) For a Content Manager OnDemand for Multiplatforms Library Server on Unix or Linux
- Add the environment variable GSK_STRICTCHECK_CBCPADBYTES=1 and export it.
- Restart the Content Manager OnDemand Server with that environment variable set.
b) For a Content Manager OnDemand for Multiplatforms Library Server on Windows:
- Create a new system environment variable GSK_STRICTCHECK_CBCPADBYTES=1 using System Properties/Advanced/Environment Variables
- Restart the CMOD Server.
---- End
It appears that you'll only be vulnerable to this attack on SSL/TLS if your CMOD server is configured to enable SSL support.
-JD.