DX Application Performance Management

Expand all | Collapse all

APM TIM and SSL Poodle Vulnerability (Revised)

  • 1.  APM TIM and SSL Poodle Vulnerability (Revised)

    Posted 10-23-2014 07:48 AM

    Note this is revised as of 10/24 with more details

     

     

    Issue:

     

       Recently RedHat has announced a security vulnerability in SSLv3 protocol, commonly referred to as ‘POODLE’. See the following    link for information:

     

         https://access.redhat.com/articles/1232123

     

     

    CA has determined TIM Admin UI application (TIM’s webserver) is impacted with this vulnerability. Additionally, communication between the CEM APM TIM appliance software and the CEM APM Enterprise Manager is affected if SSL communication is enabled between the two components.

     

     

    Versions
    affected
    :  All APM 9.x with CEM TIMsoft or TIM as Software.

     

     

    Workaround(fix for Poodle):

     

     

    Check & Disable SSLv3 on the TIM’s webserver with the following steps:

     

     

    1)  Run the following command on the TIM machine to see the successful handshake with SSL 3.0 protocol.

     

     

          openssl s_client -connect  <<TIM_IP>>:443 -ssl3

     

     

        2) Open the file -
    /etc/httpd/conf.d/ssl.conf and add the following entry to disable SSL 2.0 & 3.0. Take a backup of this file in case of any issue in recovery.

     

                SSLProtocol All -SSLv2 -SSLv3   

     

        3) Run the following commands to check that the configuration changes are correct and restart the httpd.

     

         
    service httpd configtest

     

     

    service httpd restart    

     

     

         4)    Run the following command in TIM machine and the handshake failure error for SSL 3.0
    protocol appears:

     

                                
    openssl s_client -connect <<TIM_IP>>:443 –ssl3

     

     

     

    5)   Verify TIM is receiving requests from EM/TESS by running the following command in TIM environment:

     

           tail -f /etc/httpd/logs/access_log

     

     

     

    If SSL communication is enabled between the TIM and EM/TESS, then do the additional step – “Configure the APM Enterprise Manager to use TLS for communicating to the TIM software.”

     

     

    To configure  the APM Enterprise Manager to use TLS :

     

     

    1)  Add the  following Java system property to the EM LAX file and restart the EM.
    This property should be set on the MOM and
    TIM Collection Service EM.  CA strongly suggests making this
    change on all Enterprise Managers to prevent issues if the TIM Collection
    Service needs to be moved between EMs in the cluster.

     

     

    -Dhttps.protocols=TLSv1

     

     

     

    Sample snippet:

     

     

    1. lax.nl.java.option.additional=-Xms10240m -Xmx10240m
      -Djava.awt.headless=false -XX:MaxPermSize=256m -Dmail.mime.charset=UTF-8
      -Dorg.owasp.esapi.resources=./config/esapi  -Xss512k
      -Dhttps.protocols=TLSv1

     

     

     

    2) After the bouncing the EM (TCS collector one), verify TIM is receiving requests from EM/TESS by running the following command in TIM
    environment:

     

     

               tail -f /etc/httpd/logs/ssl_access_log  



  • 2.  Re: APM TIM and SSL Poodle Vulnerability

    Posted 10-23-2014 03:00 PM

    Out of curiosity, would there be a Introscope manager property to set to enable only TLS (in theory we should be setting versions 1.1 or actually above) ?

     

    Would you expect that the next  manager/agent release v9.7 would have the crypto build without sslv2 nor sslv3 ?



  • 3.  Re: APM TIM and SSL Poodle Vulnerability (Revised)

    Posted 10-24-2014 02:42 PM

    Dear FredK::

     

    >Out of curiosity, would there be a Introscope manager property to set to enable only TLS (in theory we should be setting versions 1.1 or actually above) ?

    I could not find such a property in passing.

    >Would you expect that the next  manager/agent release v9.7 would have the crypto build without sslv2 nor sslv3 ?

       I don't have any details if this is changed in 9.7.

     

    Thank you,

    Hallett German

    CA Technologies APM Suppprt

     




  • 4.  Re: APM TIM and SSL Poodle Vulnerability

    Posted 10-24-2014 03:06 PM

    APM 9.7 code is currently in "Beta" so there will not be any changes to the default Crypto.   I expect we will re-evaluate this for a future release.

     

    Thank you,

    Corey Cohen

    CA Technologies Product Management



  • 5.  Re: APM TIM and SSL Poodle Vulnerability (Revised)

    Posted 12-08-2014 10:25 PM

    because SSL v3 vulnerability, v3 will be disabled from webservers . I wonder what CEM can decrypt and monitor afterwards, since only TLS v1.0 is supported