ICS/Lotus (mostly), Linux, Travel, Skiing, Mixology, and Random Musing of Interest

IBM Protector for Mail Security POODLE Fix

Bill Malchisky  October 22 2014 12:05:00 PM
A day after providing two Technotes on SHA-2, TLS, and POODLE for Domino, IBM released two documents to cover their Protector product. The bulletin covers three vulnerabilities and provides details on each. For the workaround document, mind the side effect mentioned at the bottom, as with some sites, this may introduce a risk assessment against delivery versus the exploit's vulnerability.

1. Bulletin - Security Bulletin: Vulnerabilities in OpenSSL may cause weak cyphers to be used over SSLv3 (POODLE Attack) in IBM Lotus Protector for Mail Security (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568)
2. Suggested workaround - How to protect Lotus Protector for Mail Security against POODLE (Padding Oracle On Downgraded Legacy Encryption) attack

Notation
: It should be noted that the bulletin omits CVE 2014-3566, the primary exploit for POODLE; as per IBM Tech Support they are specifically releasing an HTTPS patch for this exploit--via a PMR opened by a customer.

Hat tip to Samuel Sawatzky for the heads-up.

Powered by IBM Lotus Domino 8 | Lotus User Group | Get Firefox! | This blog is listed on Planet Lotus   IBM Certified

© 2010 William Malchisky.