ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

About Data Center Security: Server (Advanced) and the Poodle SSL 3.0 vulnerability (CVE-2014-3566)

book

Article ID: 161344

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Server Critical System Protection Client Edition Data Center Security Server Advanced

Issue/Introduction

A security bug affecting SSL 3.0 was released on October 14, 2014.

Resolution

The DCS 6.0.x and CSP 5.2.9 Manager utilize a version of SSL 3.0 that is susceptible to POODLE.  Customers should add the entry sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"  to <server install>\tomcat\conf\server.xml.  All future release will contain this change by default.

Recommend steps: 

1.            Stop CSP/DCS manager service

2.            Take backup of Server.xml file

3.            Edit the server.xml file to make the suggested changes using xml editors to ensure that double quotes (") with appropriate encoding will be used.

4.            Start CSP/DCS manager service

 

CSP Server 5.2.9 MP1 - MP5 (having Tomcat 7.x)

DCS:SA Server 6.0, 6.0 MP1 (having Tomcat 7.x)

The entry sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" needs to be added to the three SSL Connector configured in server.xml. 

 

These SSL Connectors are for the:

    Tomcat Stand-Alone Agent Service

    Tomcat Stand-Alone Console Service

    Tomcat Stand-Alone Service

 

The following example shows this change:

<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"

maxThreads="200" minSpareThreads="50" enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"

acceptCount="25" scheme="https" secure="true" SSLEnabled="true"

keystorePass="<KeyStorePassword>"

keystoreFile="<KeyStoreFilePath>"

clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

ciphers="%comma_separated_list_of_ciphers%"/>

 

<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"

maxThreads="40" minSpareThreads="10" enableLookups="false"

disableUploadTimeout="true" maxKeepAliveRequests="1"

acceptCount="10" scheme="https" secure="true" SSLEnabled="true"

keystorePass="<KeyStorePassword>"

keystoreFile="<KeyStoreFilePath>"

clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

ciphers="%comma_separated_list_of_ciphers%"/>

 

CSP Server 5.2.8 – 5.2.8 MP4 and 5.2.9 (having tomcat 5.x):

The entry sslProtocols="TLSv1,TLSv1.1,TLSv1.2" needs to be added to the following SSL Connector configured in server.xml. 

    Tomcat Stand-Alone Service

 

The entry sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2" needs to be added to the following SSL Connector configured in server.xml. 

    Tomcat Stand-Alone Console Service

    Tomcat Stand-Alone Agent Service

 

The following example shows this change:

<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"

maxThreads="200" minSpareThreads="50" maxSpareThreads="100"

enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"

acceptCount="25" debug="0" scheme="https" secure="true"

keystorePass="<KeyStorePassword>"

keystoreFile="<KeyStoreFilePath>"

clientAuth="false" sslProtocol="TLS" sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"

 ciphers="%comma_separated_list_of_ciphers%"/>

 

<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"

maxThreads="40" minSpareThreads="10" maxSpareThreads="25"

enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"

acceptCount="10" debug="0" scheme="https" secure="true"

keystorePass="<KeyStorePassword>"

keystoreFile="<KeyStoreFilePath>"

clientAuth="false" sslProtocol="TLS" sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"

ciphers="%comma_separated_list_of_ciphers%"/>

 

<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"

maxThreads="55" minSpareThreads="5" maxSpareThreads="8"

enableLookups="false" acceptCount="10" maxKeepAliveRequests="1" debug="0"

connectionTimeout="20000" scheme="https" disableUploadTimeout="true" secure="true"

keystorePass="<KeyStorePassword>"

keystoreFile="<KeyStoreFilePath>"

clientAuth="false" sslProtocol="TLS" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"

ciphers="%comma_separated_list_of_ciphers%"/>

 --

This issue has been addressed in SCSP 5.2.9 MP6

Symantec Critical System Protection 5.2 RU9 MP6 uses only the TLSv1x protocol to communicate among the server, agent, and console.

--