KB Article #176829

F5 SSL vulnerability CVE-2014-8730

Problem

-- Is Interchange vulnerable to CVE-2014-8730?
-- F5 SSL issue “Incorrect TLS padding could be accepted when terminating TLS 1.x CBC cipher connections." F5 has fetched CVE-2014-8730 for this issue.”
-- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730

Resolution

* Interchange does not implement TLS or any of the cipher suites. Interchange uses the security provider framework that is part of the Java runtime (javax.net.ssl). It is set up to use different security providers, which provide the encryption / decryption code (the ciphers). Interchange uses the Oracle (Sun) provider, as well as the IAIK provider (On AIX, it uses IBM + IAIK). On AIX, where the IBM JVM is used, Interchange is using IBM's runtime.
=> Interchange depends on the security provider to update the java runtime to fix bugs discovered in the implementation of cipher suites. Interchange does not have the ability to fix these issues ourselves.
* Interchange is not directly vulnerable and can't help fixing.
* CVE-2014-8730 is F5 specific and the F5 vendor should be contacted directly for guidance.
* While Interchange is not vulnerable to this specific CVE, it is possible to have a vulnerable F5 system providing an SSL proxy in front of an Interchange system.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.