IIB v9 SSLv3 Vulnerability information

IIB v9 SSLv3 Vulnerability information given below for reference. As mentioned in my previous blog entry, below information provides information about how to disable SSLv3 protocol and enable TLS protocol in IBM Integration Bus v9.

Security Note and Link below for reference (below text taken directly from IBM technote),

Security Bulletin: IBM Websphere Message Broker and IBM Integration Bus are affected by SSLv3 Vulnerability (CVE-2014-3566 and CVE-ID: CVE-2014-3568)
Link: http://www-01.ibm.com/support/docview.wss?uid=swg21687678

CVE Details

CVEID: CVE-2014-3566
Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections.

CVEID: CVE-2014-3568
Description: OpenSSL could allow a remote attacker bypass security restrictions. When configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake. An attacker could exploit this vulnerability to perform unauthorized actions.

SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in IBM WebSphere Message Broker and IBM Integration Bus.

If you are on or below IIB v9 Fix pack 9.0.0.3, SSLv3 users MUST disable SSLv3 on WebSphere Message Broker and IBM Integration Bus servers and clients and switch to using the TLS protocol.

From IIB v9.0.0.4 SSLv3 is disabled by default for all inbound and outbound connections, apart from ODBC database access, because SSLv3 is no longer considered secure due to the POODLE vulnerability. Where SSLv3 is not explicitly configured as the protocol all default values will be replaced automatically by TLS.

Users are recommended to update any configuration using SSLv3 to use TLS, by following these steps:

1. Update all explicitly configured protocol values for inbound and outbound connections to use TLS instead of SSLv3. The following IBM security bulletin gives further details on the required mitigations:  http://www.ibm.com/support/docview.wss?uid=swg21687678

2. Update all ODBC configurations which use the Oracle Wire Protocol Driver to use only TLS1 or higher protocols. The following IBM security bulleting gives further details on the required mitigation:  http://www.ibm.com/support/docview.wss?uid=swg21687678

3. Update all ODBC configurations using the client-based ODBC drivers (DB2 Client and Informix Client) by referring to the documentation for your client libraries about how to avoid a possible exposure to POODLE.

4. Update any Java code to use TLS instead of SSLv3. The following IBM security bulletin gives further details about the usage and recommended mitigations for Java: http://www.ibm.com/support/docview.wss?uid=swg21688165

5. It is necessary to update both sides of any communication to use TLS:
– For any inbound communication to WebSphere Message Broker, the sending application must be updated.
– For any outbound communication from WebSphere Message Broker, the receiving application must be updated.

It is strongly recommended that these changes are made to avoid the known security vulnerability in SSLv3.

I will be writing another article on all the commands that will be used for Inbound/outbound connections to enable TLS protocol.