Impact
The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.).
There are 3 CA OPS/MVS components affected by this vulnerability.
- OPSLOG Webview
- OPS Web Services Samples
- WebCenter
Solution
Disabling SSLv3 on either client side or server side will mitigate this vulnerability. The following solutions are available for download from CA Support online.
RO76554 - Disables the use of SSL V3 for OPSLOG WebView for CA OPS/MVS versions 12.1 and 12.2
- Disables the use of SSL V3 for Web Services Samples for CA OPS/MVS version 12.2
RO76694 - Disables the use of SSL V3 for WebCenter for CA OPS/MVS version 12.2
You can download this APARs from CA Support Online,
- Go to the Download Center / Published Solutions,
- Specify OPS as your product, Select "CA OPS/MVS Event Management and Automation for JES2 - MVS" from the list
- Select the following components
- OPS/MVS
- Unicenter NetMaster Management Services
- Click on "Go"