Environment
NetIQ Identity Manager 4.0
NetIQ Identity Manager 4.0.1
NetIQ Identity Manager 4.0.2
NetIQ Identity Manager 4.5.0
NetIQ Identity Manager Roles Based Provisioning Module 4.0
NetIQ Identity Manager 4.5.0
NetIQ Identity Manager Roles Based Provisioning Module 4.0
NetIQ Identity Manager Roles Based Provisioning Module 4.0.1
NetIQ Identity Manager Roles Based Provisioning Module 4.0.2
NetIQ Identity Manager Roles Based Provisioning Module 4.5.0
NetIQ Identity Manager Designer 4.0.2
NetIQ Identity Manager Designer 4.5.0
NetIQ Identity Manager Designer 4.5.0
Situation
Unlike many other vulnerabilities this security issue is not within code but within a protocol. Therefore, it is not about a particular OS that needs to be patched. Resolving this vulnerability requires a review of an enviroment's ability to remove SSLv3 services and use TLS instead. Both clients and servers need to be reviewed as to whether their applications and services still require SSLv3.
A good writeup on the subject can be found here: https://www.suse.com/support/kb/doc.php?id=7015773
Resolution
IDM is affected by this vulnerability. Engineering is currently looking into this.
IDM engine and Remote Loader, as well as driver shims that provide web-based interfaces are affected by it. They support both SSLv3 and TLSv1. The following engine and driver updates have been released to address this vulnerability and can be obtained at https://dl.netiq.com :
IDM 4.0.2 Engine & Remote Loader Patch 7
IDM 4.5 Engine & Remote Loader Patch 1
IDM 4.5 Oracle EBS Driver Version 4.0.0.3
IDM 4.5 SAP User Driver Version 4.0.0.3
IDM 4.5 SAP HR Driver Version 4.0.0.2
IDM 4.5 Manual Task Driver Version 4.0.0.1
IDM 4.0.2 Engine & Remote Loader Patch 7
IDM 4.5 Engine & Remote Loader Patch 1
IDM 4.5 Oracle EBS Driver Version 4.0.0.3
IDM 4.5 SAP User Driver Version 4.0.0.3
IDM 4.5 SAP HR Driver Version 4.0.0.2
IDM 4.5 Manual Task Driver Version 4.0.0.1
Web components of IDM, when their respective application servers are configured for HTTPS can be affected by this vulnerability. Please contact the application server vendor for instructions on how to address it.
For Tomcat and JBoss please contact Red Hat. This article could also be helpful: https://access.redhat.com/articles/1232123
For WebSphere please contact IBM. This article could also be helpful: http://www-01.ibm.com/support/docview.wss?uid=swg21687172
For WebLogic please contact Oracle. This article could also be helpful: http://docs.oracle.com/cd/E13222_01/wls/docs103/secmanage/ssl.html
Designer 4.0.2 and Designer 4.5.0 SVN component, when used over HTTPS is vulnerable to POODLE since it defaults to SSLv3. Designer 4.5.0.1 (online update) contains the fix for the vulnerability for Designer 4.5. A hotfix with manual installation steps has been made available for Designer 4.0.2 AU5 and can be downloaded at https://dl.netiq.com .