On Tuesday, March 01, 2016 a new SSL/TLS vulnerability was disclosed, CVE-2016-0800. This exploit is commonly called DROWN (Decrypting RSA with Obsolete and Weakened eNcryption). The vulnerability allows attackers to decrypt SSL sessions. The National Vulnerability Database gives this vulnerability a MEDIUM (5.9) risk rating using the Common Vulnerability Scoring System (CVSS).
CA Workload Control Center (WCC)
11.1, 11.3, 11.3 SP1, 11.3.5
CA Embedded Entitlements Manager
8.4, 12.0, 12.51
UAJM Agent (via CAPKI if SSL Enabled)
Any server that has not explicitly disabled SSLv2 or shares the same private key with a vulnerable server is at risk. The vulnerability affects a variety of clients.
CAPKI (aka ETPKI), WCC 11.1, 11.3, 11.3 SP1, & 11.3.5 (Tomcats) are at risk.
CA Workload Automation iDash is unaffected.
This vulnerability will be addressed starting with version 5.1.0 of CAPKI. Version 5.1.0 of CAPKI has been fortified against the weak encryption vulnerability to prevent clients from being exposed. CAPKI 5.1.0 is expected to be available within the next two weeks and may be applied to all current versions of AE schedulers & clients.
WCC (if SSL is enabled)
Version 11.1 SP4 will require an upgrade to be secured.
Versions 11.3, 11.3 SP1, & 11.3.5 may protect affected clients against the DROWN vulnerability by executing the following:
- Disable SSLv3 as described in the SSLv3 POODLE Advisory
- Disable weak ciphers for each tomcat as described in WCC: Disable Weak Ciphers in SSL Mode document.
IMPORTANT: Java Cryptography Extension (JCE) files must be applied appropriate to the Java version.
EEM version 12.51 CR04 can be secured by enabling FIPS mode or by upgrading the SSL key / certificates to 2048/SHA-2.
EEM versions prior to 12.51 CR04 can be secured only by enabling FIPS mode.
CA Workload Automation Team