Issue Summary
The CA 7 Web Client web application server is affected by the POODLE SSLv3 vulnerability (CVE-2014-3566) in Tomcat. Even though the server SSL protocol is set to TLS, SSLv3 is still enabled and testing detects the vulnerability. To avoid a possible impact, the current SSL protocol parameter should be replaced with a more secure parameter that disables SSLv3.
Operating Systems
- Windows Server 8 32-bit, 64-bit
- Windows Server 2012 64-bit
- Windows Server 2008 32-bit, 64-bit
- Red Hat Enterprise Linux 5.0, 6.0 32-bit, 64-bit
- SUSE Linux Enterprise Server 11 32-bit, 64-bit
- UNIX System Services z/OS Version 1.10+ 31-bit, 64-bit
- Linux zSeries RHEL V6.0 64-bit, SLES 10 64-bit
Solution
CA recommends disabling SSLv3 and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.x by using the parameter sslEnabledProtocols.
CA 7 Web Client implements Tomcat using the JSSE connectors, the SSL protocol is configured via the file installdir/apache-tomcat-7.0.29/conf/server.xml. In this file, remove the https connector parameter sslProtocol="TLS" and replace it with sslEnabledProtocols= "TLSv1,TLSv1.1,TLSv1.2". Then restart the CA 7 Web Client service.
The following example shows how the sslProtocol in an https connector is configured.
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" clientAuth="false" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript" compression="no" disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" keypass="changeit" keystoreFile="/u/users/cai/ca7webclient1133/apache-tomcat-7.0.29/conf/.keystore" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"/>