Tuesday Tip: SSLv3 POODLE Vulnerability (CVE-2014-3566) - WAAE (AutoSys) Advisory

Document created by Mark_Hanson Employee on Nov 7, 2014Last modified by Lenn Thompson on Apr 20, 2016
Version 5Show Document
  • View in full screen mode

On Tuesday, October 14, 2014 a security advisory was published by Google on a vulnerability in SSL version 3.0. This exploit is commonly called POODLE (Padding Oracle On Downgraded Legacy Encryption).

Secure Sockets Layer version 3.0 (SSLv3) while obsolete and insecure is still in widespread use as a fallback protocol to its successor, TLS.

The National Vulnerability Database gives this vulnerability a Medium risk rating using the Common Vulnerability Scoring System (CVSS).

 

How is WAAE (AutoSys) affected?

 

The following components are at risk:

 

EEM

CAPKI (aka ETPKI)

WCC (Tomcats)

Web Server

iDash

iXp

JAWS

SystemAgent (cybAgent 11.3.x)

 

The following command can be used to test for SSLv3 support:

 

# openssl s_client -connect <host>:<port> -ssl3

 

Disabling SSLv3 on either the client side or server side will mitigate this vulnerability.

 

EEM

 

To disable SSLv3 on EEM please make the following configuration change:

On the EEM server, in igateway.conf file

In <Connector name="defaultport"> tag, set the protocol to TLSV1

..

<secureProtocol>TLSV1</secureProtocol>

 

WCC (If SSL is enabled)

 

Version 11.3 SP1

 

Tomcat Servers (6.0.28)                HTTPS                  Configuration File

AppEditorServer                10131                  ./AppEditorServer/conf/server.xml

CmdAppServer                                10148                  ./CmdAppServer/conf/server.xml

ConfigServer                                    10134                  DO NOT MODIFY (Internal Use Only)

EventServer                                      10140                  ./EventCPMServer/conf/server.xml

HAServer                                          10151                  ./HAServer/conf/server.xml

JobStatusConsoleServant              10145                  ./JobStatusConsoleServant/conf/server.xml

LauncherServer                                8443                    ./LauncherServer/conf/server.xml

MonitoringServer                            10137                  ./MonitoringServer/conf/server.xml

QuickEditServer                              10154                  ./QuickEditServer/conf/server.xml

QuickViewServer                            10157                  ./QuickViewServer/conf/server.xml

RemoteServices                              10163                  ./RemoteServices/conf/server.xml

ResourcesServer                              10160                  ./ResourcesServer/conf/server.xml

 

To disable SSLv3 for WCC 11.3 SP1 please modify the Tomcat configuration files listed above as follows:

 

Make the following update and addition to the SSL connector tag:

 

<!-- Pure SSL Enabled Start -->…

sslProtocol=”TLSv1”

protocols=”TLSv1”

 

Restart WCC services.

 

 

Version 11.3.5

 

Tomcat Servers (7.0.22)                HTTPS                  Configuration File

CA-wcc                                              8443                    ./tomcat/conf/server.xml

 

To disable SSLv3 for WCC 11.3.5 please modify the Tomcat configuration file listed above as follows:

 

Make the following update and addition to the SSL connector tag:

 

<Connector acceptCount=”100” clientAuth=”false” debug=”0”

sslProtocol=”TLSv1” sslEnabledProtocols=”TLSv1”

 

Restart WCC services.

 

 

Version 11.3.6

 

Tomcat Servers (7.0.37)                HTTPS                  Configuration File

CA-wcc                                              8443                    ./tomcat/conf/server.xml

 

To disable SSLv3 for WCC 11.3.6 please modify the Tomcat configuration file listed above as follows:

 

Make the following update and addition to the Catalina connector tag:

 

<Connector acceptCount=”100” clientAuth=”false”

sslProtocol=”TLSv1.2” sslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1”

 

Restart WCC services.

 

 

Version 11.1 SP4

 

Tomcat Servers (6.0.28)                HTTPS                  Configuration File

LauncherServer                                8443                    ./ LauncherServer/conf/server.xml

AdminServer                                    10131                  ./ AdminServer /conf/server.xml

MonitorServer                                  10137                  ./ MonitorServer /conf/server.xml

UIFrameworkServer                        10148                  ./ UIFrameworkServer /conf/server.xml

EventServer                                      10140                  ./ EventServer /conf/server.xml

ConfigServer                                    10134                  DO NOT MODIFY (Internal Use Only)

JobStatusConsoleServer                10145                  ./ JobStatusConsoleServer /conf/server.xml

HAServer                                          10151                  ./ HAServer /conf/server.xml

 

To disable SSLv3 for WCC 11.1 SP4 please modify the Tomcat configuration files listed above as follows:

 

Make the following addition to the SSL connector tag:

 

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->…

… sslProtocol=”TLS” protocols=”TLSv1”

 

Restart WCC services.

 

 

CAPKI

 

The following OpenSSL vulnerabilities have been addressed since CAPKI Release 4.3.4 and are available in CA Workload Automation AE Release 11.3.6 SP1 via CAPKI 4.3.6:

  • CVE-2014-3506
  • CVE-2014-3508
  • CVE-2014-3510
  • CVE-2014-3567
  • CVE-2014-3568

 

Web Server (v11.3.5 or v11.3.6)


Tomcat Servers (7.0.37)                HTTPS                  Configuration File

Web Server                                      9443                    ./webserver/conf/server.xml

 

To disable SSLv3 for the WAAE Web Server please modify the Tomcat configuration file listed above as follows:

 

Make the following update to the SSL connector tag:

 

<Connector port=”9443” proxyPort=”443”

sslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1”

 

Restart the Web Server.

 

iDash (If SSL is enabled)


A Tomcat Server is not shipped with iDash, but is required for operation.

Customers are encouraged to consult the Apache Wiki page for guidance on securing Tomcat.

http://wiki.apache.org/tomcat/Security/POODLE

 

iXp (If SSL is enabled)


A Tomcat Server is not shipped with iXp, but is required for operation.

Customers are encouraged to consult the Apache Wiki page for guidance on securing Tomcat.

http://wiki.apache.org/tomcat/Security/POODLE

 

JAWS

 

The following has been provided by TERMA.

“How to set up JAWS with HTTPS”:

These instructions have been modified 11/03/14 to only support TLS and not support SSL in order to not be vulnerable to POODLE or any other SSL vulnerability.

  1. Generate a key by running $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore ${JAWS.jboss.dist}/server/default/conf/chap8.keystore. Adjust the keystore path to reflect the actual location of your JAWS jboss directory.

• IMPORTANT: when prompted for first/last name, enter the hostname of the JAWS server as you will use it in constructing URLs for testing. Specify the key password to be the same as the keystore password (this is the default).

  1. Edit the appropriate server.xml file in the JAWS JBoss directory, uncomment the SSL section, and edit the keystore path and password to agree with what you specified in step 1, add truststoreFile and truststorePass. My server.xml was in ${JAWS.jboss.dist}/server/default/deploy/jbossweb-tomcat50.sar/server.xml

 

<Connector port="8443" address="${jboss.bind.address}"

maxThreads="100" minSpareThreads="5" maxSpareThreads="15"

scheme="https" secure="true" clientAuth="false"

keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"

keystorePass="password"

truststoreFile="conf/chap8.keystore"

truststorePass="password"

sslProtocol = "TLSv1,TLSv1.1,TLSv1.2"  />

  1. If you wish to remove the non-secure http protocol, comment out the HTTP section in the server.xml--otherwise, both will be active.
  2. That's all you need to do...you should be able to re-start the server, and access jaws with https://localhost:8443/jaws. The browser will complain about the certificate not being trusted, though...

Accessing SSL from a CLI or Java client requires some awareness of trusted certificates--just trying to open a stream on a secure URL will result in an exception. There are a number of ways to do this, but a simple one that is adequate for development testing is to add the following lines to Java or CLI (Jython) code:

  1. System.setProperty( "javax.net.ssl.trustStore", "/opt/JBoss/jboss-4.0.1sp1/server/default/conf/chap8.keystore" )
  2. System.setProperty( "javax.net.ssl.trustStorePassword", "password" )

A sample CLI script to call forecasting_jobs_report.py

• Note: Copied forecasting_jobs_report.py to the lib directory

import params

import sys

import os

from jaws import *

from forecast_jobs_report import *

 

  1. System.setProperty( "javax.net.ssl.trustStore", "/opt/JAWS/430se-ora/Release/jboss/server/default/conf/chap8.keystore" )
  2. System.setProperty( "javax.net.ssl.trustStorePassword", "password" )

 

# Uncomment the below line  for debug purposes

# System.setProperty( "javax.net.debug", "ssl" )

 

select_server ( http_port = 8443, http_protocol = 'https', host = 'abrown-01l' )

login()

  • os.system('./examples/forecast_jobs_report.py "2013/09/16" "2013/09/18" 00:00:00')

logout()

 

 

SystemAgent (cybAgent 11.3.x)

 

If the SystemAgent is configured and being used as a FTP server it is potentially vulnerable to a small degree due to use of FTP over SSL (ftps).

We are evaluating the vulnerability and will address it as needed in a future release.

 

Browsers

 

Chrome

Google has indicated that the upcoming Chrome 39 stable release, SSL 3.0 fallback will be disabled.

SSL 3.0 is planned to be completely disabled in Chrome 40.

 

Firefox

The upcoming Mozilla 34 release is planned to remove support for SSLv3

 

IE

Microsoft has released afix-it” tool to remove support for SSLv3.

Attachments

    Outcomes