On Tuesday, October 14, 2014 a security advisory was published by Google on a vulnerability in SSL version 3.0. This exploit is commonly called POODLE (Padding Oracle On Downgraded Legacy Encryption).
Secure Sockets Layer version 3.0 (SSLv3) while obsolete and insecure is still in widespread use as a fallback protocol to its successor, TLS.
The National Vulnerability Database gives this vulnerability a Medium risk rating using the Common Vulnerability Scoring System (CVSS).
How is WAAE (AutoSys) affected?
The following components are at risk:
EEM
CAPKI (aka ETPKI)
WCC (Tomcats)
Web Server
iDash
iXp
JAWS
SystemAgent (cybAgent 11.3.x)
The following command can be used to test for SSLv3 support:
# openssl s_client -connect <host>:<port> -ssl3
Disabling SSLv3 on either the client side or server side will mitigate this vulnerability.
EEM
To disable SSLv3 on EEM please make the following configuration change:
On the EEM server, in igateway.conf file
In <Connector name="defaultport"> tag, set the protocol to TLSV1
..
<secureProtocol>TLSV1</secureProtocol>
WCC (If SSL is enabled)
Version 11.3 SP1
Tomcat Servers (6.0.28) HTTPS Configuration File
AppEditorServer 10131 ./AppEditorServer/conf/server.xml
CmdAppServer 10148 ./CmdAppServer/conf/server.xml
ConfigServer 10134 DO NOT MODIFY (Internal Use Only)
EventServer 10140 ./EventCPMServer/conf/server.xml
HAServer 10151 ./HAServer/conf/server.xml
JobStatusConsoleServant 10145 ./JobStatusConsoleServant/conf/server.xml
LauncherServer 8443 ./LauncherServer/conf/server.xml
MonitoringServer 10137 ./MonitoringServer/conf/server.xml
QuickEditServer 10154 ./QuickEditServer/conf/server.xml
QuickViewServer 10157 ./QuickViewServer/conf/server.xml
RemoteServices 10163 ./RemoteServices/conf/server.xml
ResourcesServer 10160 ./ResourcesServer/conf/server.xml
To disable SSLv3 for WCC 11.3 SP1 please modify the Tomcat configuration files listed above as follows:
Make the following update and addition to the SSL connector tag:
<!-- Pure SSL Enabled Start -->…
sslProtocol=”TLSv1”
protocols=”TLSv1”
Restart WCC services.
Version 11.3.5
Tomcat Servers (7.0.22) HTTPS Configuration File
CA-wcc 8443 ./tomcat/conf/server.xml
To disable SSLv3 for WCC 11.3.5 please modify the Tomcat configuration file listed above as follows:
Make the following update and addition to the SSL connector tag:
<Connector acceptCount=”100” clientAuth=”false” debug=”0”
…
sslProtocol=”TLSv1” sslEnabledProtocols=”TLSv1”
Restart WCC services.
Version 11.3.6
Tomcat Servers (7.0.37) HTTPS Configuration File
CA-wcc 8443 ./tomcat/conf/server.xml
To disable SSLv3 for WCC 11.3.6 please modify the Tomcat configuration file listed above as follows:
Make the following update and addition to the Catalina connector tag:
<Connector acceptCount=”100” clientAuth=”false”
…
sslProtocol=”TLSv1.2” sslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1”
Restart WCC services.
Version 11.1 SP4
Tomcat Servers (6.0.28) HTTPS Configuration File
LauncherServer 8443 ./ LauncherServer/conf/server.xml
AdminServer 10131 ./ AdminServer /conf/server.xml
MonitorServer 10137 ./ MonitorServer /conf/server.xml
UIFrameworkServer 10148 ./ UIFrameworkServer /conf/server.xml
EventServer 10140 ./ EventServer /conf/server.xml
ConfigServer 10134 DO NOT MODIFY (Internal Use Only)
JobStatusConsoleServer 10145 ./ JobStatusConsoleServer /conf/server.xml
HAServer 10151 ./ HAServer /conf/server.xml
To disable SSLv3 for WCC 11.1 SP4 please modify the Tomcat configuration files listed above as follows:
Make the following addition to the SSL connector tag:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->…
… sslProtocol=”TLS” protocols=”TLSv1”
Restart WCC services.
CAPKI
The following OpenSSL vulnerabilities have been addressed since CAPKI Release 4.3.4 and are available in CA Workload Automation AE Release 11.3.6 SP1 via CAPKI 4.3.6:
- CVE-2014-3506
- CVE-2014-3508
- CVE-2014-3510
- CVE-2014-3567
- CVE-2014-3568
Web Server (v11.3.5 or v11.3.6)
Tomcat Servers (7.0.37) HTTPS Configuration File
Web Server 9443 ./webserver/conf/server.xml
To disable SSLv3 for the WAAE Web Server please modify the Tomcat configuration file listed above as follows:
Make the following update to the SSL connector tag:
<Connector port=”9443” proxyPort=”443”
…
sslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1”
Restart the Web Server.
iDash (If SSL is enabled)
A Tomcat Server is not shipped with iDash, but is required for operation.
Customers are encouraged to consult the Apache Wiki page for guidance on securing Tomcat.
http://wiki.apache.org/tomcat/Security/POODLE
iXp (If SSL is enabled)
A Tomcat Server is not shipped with iXp, but is required for operation.
Customers are encouraged to consult the Apache Wiki page for guidance on securing Tomcat.
http://wiki.apache.org/tomcat/Security/POODLE
JAWS
The following has been provided by TERMA.
“How to set up JAWS with HTTPS”:
These instructions have been modified 11/03/14 to only support TLS and not support SSL in order to not be vulnerable to POODLE or any other SSL vulnerability.
- Generate a key by running $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore ${JAWS.jboss.dist}/server/default/conf/chap8.keystore. Adjust the keystore path to reflect the actual location of your JAWS jboss directory.
• IMPORTANT: when prompted for first/last name, enter the hostname of the JAWS server as you will use it in constructing URLs for testing. Specify the key password to be the same as the keystore password (this is the default).
- Edit the appropriate server.xml file in the JAWS JBoss directory, uncomment the SSL section, and edit the keystore path and password to agree with what you specified in step 1, add truststoreFile and truststorePass. My server.xml was in ${JAWS.jboss.dist}/server/default/deploy/jbossweb-tomcat50.sar/server.xml
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="password"
truststoreFile="conf/chap8.keystore"
truststorePass="password"
sslProtocol = "TLSv1,TLSv1.1,TLSv1.2" />
- If you wish to remove the non-secure http protocol, comment out the HTTP section in the server.xml--otherwise, both will be active.
- That's all you need to do...you should be able to re-start the server, and access jaws with https://localhost:8443/jaws. The browser will complain about the certificate not being trusted, though...
Accessing SSL from a CLI or Java client requires some awareness of trusted certificates--just trying to open a stream on a secure URL will result in an exception. There are a number of ways to do this, but a simple one that is adequate for development testing is to add the following lines to Java or CLI (Jython) code:
- System.setProperty( "javax.net.ssl.trustStore", "/opt/JBoss/jboss-4.0.1sp1/server/default/conf/chap8.keystore" )
- System.setProperty( "javax.net.ssl.trustStorePassword", "password" )
A sample CLI script to call forecasting_jobs_report.py
• Note: Copied forecasting_jobs_report.py to the lib directory
import params
import sys
import os
from jaws import *
from forecast_jobs_report import *
- System.setProperty( "javax.net.ssl.trustStore", "/opt/JAWS/430se-ora/Release/jboss/server/default/conf/chap8.keystore" )
- System.setProperty( "javax.net.ssl.trustStorePassword", "password" )
# Uncomment the below line for debug purposes
# System.setProperty( "javax.net.debug", "ssl" )
select_server ( http_port = 8443, http_protocol = 'https', host = 'abrown-01l' )
login()
- os.system('./examples/forecast_jobs_report.py "2013/09/16" "2013/09/18" 00:00:00')
logout()
SystemAgent (cybAgent 11.3.x)
If the SystemAgent is configured and being used as a FTP server it is potentially vulnerable to a small degree due to use of FTP over SSL (ftps).
We are evaluating the vulnerability and will address it as needed in a future release.
Browsers
Chrome
Google has indicated that the upcoming Chrome 39 stable release, SSL 3.0 fallback will be disabled.
SSL 3.0 is planned to be completely disabled in Chrome 40.
Firefox
The upcoming Mozilla 34 release is planned to remove support for SSLv3
IE
Microsoft has released a “fix-it” tool to remove support for SSLv3.