The POODLE SSLv3 vulnerability and its impact on Identity Manager

  • 7015788
  • 16-Oct-2014
  • 22-Dec-2014

Environment

NetIQ Identity Manager 4.0
NetIQ Identity Manager 4.0.1
NetIQ Identity Manager 4.0.2
NetIQ Identity Manager 4.5.0
NetIQ Identity Manager Roles Based Provisioning Module 4.0
NetIQ Identity Manager Roles Based Provisioning Module 4.0.1
NetIQ Identity Manager Roles Based Provisioning Module 4.0.2
NetIQ Identity Manager Roles Based Provisioning Module 4.5.0
NetIQ Identity Manager Designer 4.0.2
NetIQ Identity Manager Designer 4.5.0

Situation

Unlike many other vulnerabilities this security issue is not within code but within a protocol.  Therefore, it is not about a particular OS that needs to be patched.  Resolving this vulnerability requires a review of an enviroment's ability to remove SSLv3 services and use TLS instead.  Both clients and servers need to be reviewed as to whether their applications and services still require SSLv3.
 
A good writeup on the subject can be found here:   https://www.suse.com/support/kb/doc.php?id=7015773

Resolution

IDM is affected by this vulnerability. Engineering is currently looking into this.

IDM engine and Remote Loader, as well as driver shims that provide web-based interfaces are affected by it. They support both SSLv3 and TLSv1. The following engine and driver updates have been released to address this vulnerability and can be obtained at https://dl.netiq.com :

IDM 4.0.2 Engine & Remote Loader Patch 7
IDM 4.5 Engine & Remote Loader Patch 1

IDM 4.5 Oracle EBS Driver Version 4.0.0.3
IDM 4.5 SAP User Driver Version 4.0.0.3
IDM 4.5 SAP HR Driver Version 4.0.0.2
IDM 4.5 Manual Task Driver Version 4.0.0.1

Web components of IDM, when their respective application servers are configured for HTTPS can be affected by this vulnerability. Please contact the application server vendor for instructions on how to address it. 

For Tomcat and JBoss please contact Red Hat. This article could also be helpful: https://access.redhat.com/articles/1232123

For WebSphere please contact IBM. This article could also be helpful: http://www-01.ibm.com/support/docview.wss?uid=swg21687172

For WebLogic please contact Oracle. This article could also be helpful: http://docs.oracle.com/cd/E13222_01/wls/docs103/secmanage/ssl.html

Designer 4.0.2 and Designer 4.5.0 SVN component, when used over HTTPS is vulnerable to POODLE since it defaults to SSLv3. Designer 4.5.0.1 (online update) contains the fix for the vulnerability for Designer 4.5. A hotfix with manual installation steps has been made available for Designer 4.0.2 AU5 and can be downloaded at https://dl.netiq.com .


Feedback service temporarily unavailable. For content questions or problems, please contact Support.