An update on IBM Connections and the POODLE vulnerability

*** UPDATE: 10:53GMT, 3 November 2014 ***

As reader Oliver Regelmann has commented below, these fixes are sadly not for the POODLE issue at all, but to fix an altogether different vulnerability in Connections, caused by a issue in Apache Commons FileUpload.

My fellow contributor, Sjaak Ursinus, created a detailed post a couple of weeks back detailing the impact that the POODLE vulnerability could have on your IBM Connections platform, and the steps required to code a route around the issue (though Sjaak himself noted that it wasn’t much of a workaround).  If you haven’t heard of POODLE, then I suggest you go read Sjaak’s post now.

Just a few days ago, IBM Connections product manager Luis Benitez added a comment to the post linking to IBMs technote on the topic.

Since then, IBM has released a further update, and this post attempts to bring you the latest news on the issue.

Firstly, the vulnerability itself:

A security vulnerability was reported against Apache Commons FileUpload. IBM Connections uses Apache Commons FileUpload. A version of the package that is vulnerable to these issues is used in several past versions of IBM Connections. To fix this vulnerability apply the fixes as detailed in the Remediation section.

CVE-ID: CVE-2014-0050
Description: MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop’s intended exit conditions.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

This vulnerability affects all versions of IBM Connections, including all releases under IBM support and maintenance, i.e. 5.0, 4.5, 4.0 and 3.0.1.1.

The good news is that IBM has released fixes for all these versions, including the somewhat ancient 3.0.1.1, which I think is pretty impressive:

Apply the appropriate fix pack or APAR to remediate these issues as per this table. Note, if possible, it is always recommended to upgrade to the most recent release of IBM Connections.

Product Version Remediation
IBM Connections 5.0 Upgrade to IBM Connections 5.0 CR1
IBM Connections 4.5 Upgrade to IBM Connections 4.5 CR5 and apply Interim Fix APAR LO82478
IBM Connections 4.0 Upgrade to IBM Connections 4.0 CR4 and apply Interim Fix APAR LO82478
IBM Connections 3.0.1.1 Upgrade to IBM Connections 3.0.1.1 CR3 and apply Interim Fix APAR LO82478
IBM Connections 3.0.1 and earlier releases Either upgrade to IBM Connections 5.0 CR1 or upgrade to IBM Connections 3.0.1.1 CR3 , apply prerequisites and apply APAR LO82478

Whichever version of IBM Connections you run, my advice is that it really is imperative to get these fixes onto your systems as quickly as is reasonably possible – particularly if your Connections system is available to external access.

Apache Struts security issues ‐ time to patch your IBM Connections install

I’ve just come across an IBM technote from May 2014 that has been updated over the last few days, listing details of a number of vulnerabilities in Apache Struts:

[titled_box title=”Vulnerability Details”]Several security vulnerabilities have been reported against Apache Struts through April 2014. IBM Connections uses Struts. A version of the package that is vulnerable to these issues is used in several past versions of IBM Connections. To fix these vulnerabilities apply the fixes as detailed in the Remediation section.

The following versions of IBM Connections are impacted:

IBM Connections 5.0
IBM Connections 4.5
IBM Connections 4.0
IBM Connections 3.0.1.1 and earlier releases[/titled_box]

There are fixes for all the above mentioned versions of Connections.  Here are the two most recent:

IBM Connections 5.0 Apply APAR LO80688
IBM Connections 4.5 Upgrade to IBM Connections 4.5 CR4 and apply Interim Fix APAR LO81215

I would definitely recommend getting these security fixes on ASAP, particularly if your IBM Connections platform is public-facing…

Watch out for quotes!

Just a reminder to be watchful of non-standard characters in IBM Connections user names, and also to thoroughly review your IBM Connections TDI logs on a regular basis.  This is a current APAR (IBM ID required):

[titled_box title = “IBM APAR LO81076”]LO81076: USERS WHO ARE REGISTED WITH QUOTATION MARKS IN THEIR NAMES CANNOT USE CONNECTIONS PROPERLY
APAR status 
OPEN
Error description
Users who are registered using identifiers that are in quotation marks (Jennifer “Jen” Doe) cannot use most of the functions of profiles.

Internet Explorer displays many errors after the user logs in and the Profiles home page is displayed. Firefox simply doesn’t show certain features such as the search entry box[/titled_box]

I’m sure that this particular APAR will get resolved in an upcoming fix for Connections 4.5 (I’m not sure if 5.0 is similarly afflicted?), however these types of issue do crop up every so often, so be ready for them!