An update on IBM Connections and the POODLE vulnerability

*** UPDATE: 10:53GMT, 3 November 2014 ***

As reader Oliver Regelmann has commented below, these fixes are sadly not for the POODLE issue at all, but to fix an altogether different vulnerability in Connections, caused by a issue in Apache Commons FileUpload.

My fellow contributor, Sjaak Ursinus, created a detailed post a couple of weeks back detailing the impact that the POODLE vulnerability could have on your IBM Connections platform, and the steps required to code a route around the issue (though Sjaak himself noted that it wasn’t much of a workaround).  If you haven’t heard of POODLE, then I suggest you go read Sjaak’s post now.

Just a few days ago, IBM Connections product manager Luis Benitez added a comment to the post linking to IBMs technote on the topic.

Since then, IBM has released a further update, and this post attempts to bring you the latest news on the issue.

Firstly, the vulnerability itself:

A security vulnerability was reported against Apache Commons FileUpload. IBM Connections uses Apache Commons FileUpload. A version of the package that is vulnerable to these issues is used in several past versions of IBM Connections. To fix this vulnerability apply the fixes as detailed in the Remediation section.

CVE-ID: CVE-2014-0050
Description: MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop’s intended exit conditions.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90987 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

This vulnerability affects all versions of IBM Connections, including all releases under IBM support and maintenance, i.e. 5.0, 4.5, 4.0 and 3.0.1.1.

The good news is that IBM has released fixes for all these versions, including the somewhat ancient 3.0.1.1, which I think is pretty impressive:

Apply the appropriate fix pack or APAR to remediate these issues as per this table. Note, if possible, it is always recommended to upgrade to the most recent release of IBM Connections.

Product Version Remediation
IBM Connections 5.0 Upgrade to IBM Connections 5.0 CR1
IBM Connections 4.5 Upgrade to IBM Connections 4.5 CR5 and apply Interim Fix APAR LO82478
IBM Connections 4.0 Upgrade to IBM Connections 4.0 CR4 and apply Interim Fix APAR LO82478
IBM Connections 3.0.1.1 Upgrade to IBM Connections 3.0.1.1 CR3 and apply Interim Fix APAR LO82478
IBM Connections 3.0.1 and earlier releases Either upgrade to IBM Connections 5.0 CR1 or upgrade to IBM Connections 3.0.1.1 CR3 , apply prerequisites and apply APAR LO82478

Whichever version of IBM Connections you run, my advice is that it really is imperative to get these fixes onto your systems as quickly as is reasonably possible – particularly if your Connections system is available to external access.

Stuart McIntyre is a Senior Strategist at Fostering Community Limited. He curates a number of product-focused news sites, is a lapsed podcaster, founded the Social Connections user group and regularly speaks at conferences and events. This blog represents his own slightly-eccentric and usually-controversial opinions!
  • Oliver Regelmann

    Are you sure these interim fixes provide a fix for the missing SSLv3 support in Connections and the Poodle issue? According to the technote these fix an issue in Apache Commons FileUpload with a completely different CVE number than the Poodle issue.

  • Oliver, you’re right… That’s rather embarrassing, I guess as a result of me wanting POODLE to be sorted ASAP…

    POODLE is CVE-2014-3566, whereas this Commons FileUpload issue is CVE-2014-0050. Thanks for spotting this – I’ll update the post.