Please login or register. August 19, 2017, 07:19:38 AM

Author Topic: TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730)  (Read 2057 times)

0 Members and 1 Guest are viewing this topic.

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1041
  • Karma: +0/-0
Security Bulletin
TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730)
Summary

Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM HTTP Server.
Workarounds and Mitigations
For all versions and releases of Apache based IBM HTTP server, IBM recommends enabling strict CBC padding enforcement. Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains "SSLEnable":

# Enable strict CBC padding
SSLAttributeSet 471 1

For full text see IBM bulletin
here
(or my copy here)