Bill Malchisky October 22 2014 12:05:00 PMA day after providing two Technotes on SHA-2, TLS, and POODLE for Domino, IBM released two documents to cover their Protector product. The bulletin covers three vulnerabilities and provides details on each. For the workaround document, mind the side effect mentioned at the bottom, as with some sites, this may introduce a risk assessment against delivery versus the exploit's vulnerability.
1. Bulletin - Security Bulletin: Vulnerabilities in OpenSSL may cause weak cyphers to be used over SSLv3 (POODLE Attack) in IBM Lotus Protector for Mail Security (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568)
2. Suggested workaround - How to protect Lotus Protector for Mail Security against POODLE (Padding Oracle On Downgraded Legacy Encryption) attack
Notation: It should be noted that the bulletin omits CVE 2014-3566, the primary exploit for POODLE; as per IBM Tech Support they are specifically releasing an HTTPS patch for this exploit--via a PMR opened by a customer.
Hat tip to Samuel Sawatzky for the heads-up.
- Comments