Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1949
Security Bulletin: Vulnerability in SSLv3 affects multiple IBM Rational
products based on IBM Jazz technology (CVE-2014-3566)
24 October 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Rational Team Concert
IBM Rational Quality Manager
IBM Rational Requirements Composer
IBM Rational DOORS Next Generation
IBM Rational Engineering Lifecycle Manager
IBM Rational Software Architect Design Manager
IBM Rhapsody Design Manager
Publisher: IBM
Operating System: AIX
UNIX variants (UNIX, Linux, OSX)
Solaris
Windows
z/OS
IBM i
Impact/Access: Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Mitigation
CVE Names: CVE-2014-3566
Reference: ASB-2014.0122
ESB-2014.1946
ESB-2014.1944
ESB-2014.1929
ESB-2014.1920
ESB-2014.1897
ESB-2014.1858
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21687762
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Vulnerability in SSLv3 affects multiple IBM Rational
products based on IBM Jazz technology (CVE-2014-3566)
Security Bulletin
Document information
More support for:
Rational Collaborative Lifecycle Management
General Information
Software version:
3.0.1, 3.0.1.6, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0,
5.0.1
Operating system(s):
AIX, Linux, Mac OS, Solaris, Windows, z/OS
Reference #:
1687762
Modified date:
2014-10-21
Summary
SSLv3 contains a vulnerability that has been referred to as the Padding
Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled in
Jazz technology (JAF) based products such as Rational Team Concert (RTC),
Rational Quality Manager (RQM), Rational Requirements Composer/Rational DOORS
Next Generation (RRC/RDNG), Rational Engineering Lifecycle Manager (RELM),
Rational Software Architect Design Manager (RSA DM), Rhapsody Design Manager
(Rhapsody DM) and also in Web servers that these products run on, namely
Apache Tomcat, IBM WebSphere, and IBM HTTP Server.
Vulnerability Details
CVE-ID: CVE-2014-3566
Description: Product could allow a remote attacker to obtain sensitive
information, caused by a design error when using the SSLv3 protocol. A remote
user with the ability to conduct a man-in-the-middle attack could exploit
this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy
Encryption) attack to decrypt SSL sessions and access the plaintext of
encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
All versions of the Jazz technology based products of CLM, RTC, RQM, RRC,
RDNG, RSA DM, Rhapsody DM, and RELM.
Remediation/Fixes
None
Workarounds and Mitigations
IBM recommends that you review your entire environment to identify areas that
enable the SSLv3 protocol and take appropriate mitigation and remediation
actions. The most immediate mitigation action that can be taken is disabling
SSLv3.
SSL secured communication occurs between client and server, for example
between a Web browser or RTC client and a Web server on which the CLM is
installed. To mitigate this issue and protect against POODLE attack, it is
enough to secure either the client or the server (or both). One suggestion is
to secure the Web server into which CLM is installed. This will allow you
some flexibility in terms of addressing this issue as applicable in your
environments while at the same time maintaining the ability of software
client applications/components to access servers configured with different
levels of security.
See the following links for information on how to disable SSLv3 in Apache
Tomcat, IBM WebSphere and IBM HTTP Server.
IBM WebSphere: http://www.ibm.com/support/docview.wss?uid=swg21687173
IBM HTTP Server: http://www.ibm.com/support/docview.wss?uid=swg21687172
Apache Tomcat: https://access.redhat.com/solutions/1232233
In addition, the following change must be made in server.startup file (.bat or .sh, as appropriate).
This file is located in <CLM_INSTALL_LOCATION>/server folder:
Find and replace the following text in the follow files:
server.startup.bat
Find: set JAVA_OPTS=%JAVA_OPTS% -Djazz.connector.sslProtocol=SSL_TLS
Replace with: set JAVA_OPTS=%JAVA_OPTS% -Djazz.connector.sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2
server.startup.sh:
Find: JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslProtocol=SSL_TLS"
Replace with: JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2"
And the following change must be made in <CLM_INSTALL_LOCATION>\server\tomcat\conf\server.xml
Find: sslProtocol="${jazz.connector.sslProtocol}"
Tomcat 6 (6.0.38 and later) and 7 replace with: sslEnabledProtocols="${jazz.connector.sslEnabledProtocols}"
Tomcat 5 and 6 (prior to 6.0.38) replace with: sslProtocols="${jazz.connector.sslEnabledProtocols}"
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site. Security and integrity APARs and associated fixes
will be posted to this portal. IBM suggests reviewing the CVSS scores and
applying all security or integrity fixes as soon as possible to minimize any
potential risk.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
* 21 October 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version
Software Rational DOORS General Linux, Windows 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0, 5.0.1
Development Next Generation information
Software Rational General Windows, Linux 1.0, 1.0.0.1, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0, 5.0.1
Development Engineering Information
Lifecycle Manager
Software Rational Quality Team Server AIX, Linux, Solaris 1.0, 1.0.0.1, 1.0.0.2, 1.0.1, 1.0.1.1, 1.0.1.2, 2.0, 2.0.0.1,
Development Manager Windows, z/OS 2.0.0.2, 2.0.1, 2.0.1.1, 3.0.1, 3.0.1.1, 3.0.1.2, 3.0.1.3,
3.0.1.4, 3.0.1.5, 3.0.1.6, 4.0, 4.0.0.1, 4.0.0.2, 4.0.1,
4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0, 5.0.1
Software Rational Team Server Windows, Linux, 1.0, 1.0.0.1, 2.0, 2.0.0.1, 2.0.0.2, 2.0.0.3, 2.0.0.4, 3.0.1, 3.0.1.1,
Development Requirements z/OS 3.0.1.2, 3.0.1.3, 3.0.1.4, 3.0.1.5, 3.0.1.6, 4.0, 4.0.0.1,
Composer 4.0.0.2, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7
Software Rational Rhapsody General Linux, Windows 3.0, 3.0.0.1, 3.0.1, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5,
Development Design Manager Information 4.0.6, 4.0.7, 5.0, 5.0.1
Software Rational Team Team Server AIX, i5/OS, IBM i, 1.0, 1.0.1, 1.0.1.1, 2.0, 2.0.0.1, 2.0.0.2, 3.0, 3.0.1, 3.0.1.1,
Development Concert Linux, Solaris, 3.0.1.2, 3.0.1.3, 3.0.1.4, 3.0.1.5, 3.0.1.6, 4.0, 4.0.0.1, 4.0.0.2,
Windows, z/OS, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 5.0, 5.0.1
Mac OS X
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVEn+XxLndAQH1ShLAQKnvg/6A3A/0qvJa00p2eQzbHXdkoV7bLig6flx
+kEoafsYVV4vYWMt0gzc7Kpy33FHC1TJuOmQfwvB7rtbFrFG81xfmwKnv5DozZJN
286Ir4gdRBo+4ePQ3yTuZbq1ZxY8LJjVsZ/6IrescB7R7sBq4ss9ddo1Ssg4Ix0d
h/+thpODGJ2lWkG8DthUzcHhdtsyvi0pplE2MoTptrxDEOjByVL7VD6mXnNUPgIO
JdbrjnWNIJkTANjIspiOh+kUAPYPbgzyvJCGRckXmO3Mj4glvfp8Yt89iPfEsbYT
72MQkwZALOPs0bMtuw1IHj3NIpz5pc9PBIFtjaiPfi6LEey4Th7AMvogAS/YdhTO
O6HcLDdf3oJdFKP/46aNS1v25Jm7J2tmYmxV2zDktbR1jAdTt4UHr7CPTlU8j05u
fGJdYNQJa3AqAM8AhP1kHZN5R5xVIoOawXJGyfaOCS5Gja9q8e6ZdtnUqfDYbf2h
IB8GjmqqvmPvM5gV4LHAhyErJ/YZ9wlcQxGxQmL7yJJ/WHokTeF62/slXIH7sazh
XXB1evc2XY7PmluypLZtgwwp5AV7N8Sl5el6HO/ggDhs/c7DJCFSu93Q2jbOOYne
wgi6MB493E6lQR0X0C4dPmHZeOMrJjiD0/J0TcuZuITOdgxB7rTbkLAX8NcntEPY
+atKK0V5hRE=
=lLEP
-----END PGP SIGNATURE-----