An update on IBM Connections and the POODLE vulnerability

*** UPDATE: 10:53GMT, 3 November 2014 ***

As reader Oliver Regelmann has commented below, these fixes are sadly not for the POODLE issue at all, but to fix an altogether different vulnerability in Connections, caused by a issue in Apache Commons FileUpload.

My fellow contributor, Sjaak Ursinus, created a detailed post a couple of weeks back detailing the impact that the POODLE vulnerability could have on your IBM Connections platform, and the steps required to code a route around the issue (though Sjaak himself noted that it wasn’t much of a workaround).  If you haven’t heard of POODLE, then I suggest you go read Sjaak’s post now.

Just a few days ago, IBM Connections product manager Luis Benitez added a comment to the post linking to IBMs technote on the topic.

Since then, IBM has released a further update, and this post attempts to bring you the latest news on the issue.

Firstly, the vulnerability itself:

A security vulnerability was reported against Apache Commons FileUpload. IBM Connections uses Apache Commons FileUpload. A version of the package that is vulnerable to these issues is used in several past versions of IBM Connections. To fix this vulnerability apply the fixes as detailed in the Remediation section.

CVE-ID: CVE-2014-0050
Description: MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop’s intended exit conditions.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

This vulnerability affects all versions of IBM Connections, including all releases under IBM support and maintenance, i.e. 5.0, 4.5, 4.0 and 3.0.1.1.

The good news is that IBM has released fixes for all these versions, including the somewhat ancient 3.0.1.1, which I think is pretty impressive:

Apply the appropriate fix pack or APAR to remediate these issues as per this table. Note, if possible, it is always recommended to upgrade to the most recent release of IBM Connections.

Product Version Remediation
IBM Connections 5.0 Upgrade to IBM Connections 5.0 CR1
IBM Connections 4.5 Upgrade to IBM Connections 4.5 CR5 and apply Interim Fix APAR LO82478
IBM Connections 4.0 Upgrade to IBM Connections 4.0 CR4 and apply Interim Fix APAR LO82478
IBM Connections 3.0.1.1 Upgrade to IBM Connections 3.0.1.1 CR3 and apply Interim Fix APAR LO82478
IBM Connections 3.0.1 and earlier releases Either upgrade to IBM Connections 5.0 CR1 or upgrade to IBM Connections 3.0.1.1 CR3 , apply prerequisites and apply APAR LO82478

Whichever version of IBM Connections you run, my advice is that it really is imperative to get these fixes onto your systems as quickly as is reasonably possible – particularly if your Connections system is available to external access.

IBM Connections 4.5 CR5 is now available

When IBM Connections was first released, all patches to the on-premises code were released as iFixes – individual fix packages that could be installed and deinstalled individually. This was really flexible and allowed issues to be patched very quickly but also lead to very time-consuming patching processes and almost every system I visited had a different set of code updates installed. Not ideal!

For the past few versions, IBM has managed updates to Connections using Cumulative Refreshes (CRs). These packages consist of a set of cumulative fixes for each of IBM Connections applications.  This is a much more manageable approach, with approximately one CR released each quarter to be installed, and single fixes available from IBM support should an issue be particularly serious.

The latest CR for IBM Connections 4.5 has just been released:

[titled_box title = “Cumulative Refresh 5 summary”]CR5 is a set of 20 fix packages, which update each application entirely. Please apply all 20 fix packages together. The CCM (Connections Content Management) package should only be installed on Connections environments which have Content Management configured. In addition to these 20 fix packages, there is a new TDISOL version released along with CR5, which can be installed on any 4.5 Connections environment. Please download TDISOL 4.5 2014-07-10 from Fix Central.

CR5 uses the same version of the Update Installer as CR4, which is published in Fix Central under this link: 4.5.0.0-IC-Multi-UPDI-20131020

CR5 includes all fixes in CR1, CR2CR3, and CR4, plus fixes LO74499 and LO74629, listed in this document. It also includes LO74571 for Connections Mail support. It is not necessary to apply these previous fixes if you are installing CR5. CR5 can also be applied on environments that have those fixes already applied.[/titled_box]

You can download IBM Connections 4.5 CR5 from Fix Central.