Does the OpenSSL vulnerability issue CVE-2015-4000 affect the ITMS versions 7.5 or 7.6, and if so then how to mitigate the affect?

search cancel

Does the OpenSSL vulnerability issue CVE-2015-4000 affect the ITMS versions 7.5 or 7.6, and if so then how to mitigate the affect?

book

Article ID: 162027

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

A new OpenSSL vulnerability issue is found and it is described in the following articles:

Cause

Note that this issue affects ITMS 7.5 and ITMS 7.6 in scenarios where Symantec Management Agent is establishing HTTPS connection to a server that supports EXPORT ciphers.

According to the Microsoft's "Cipher Suites in Schannel" article, EXPORT ciphers are disabled by default on Windows 2008 and newer, but administrators may want to double-check that they were not enabled manually.
The site servers that are installed on Windows 2003 or Linux platform with Apache 2.2 may be affected, because Apache 2.2 default configuration enables EXPORT ciphers. (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite)
CEM Internet gateway is affected by this issue as it is using Apache 2.2.

Resolution

The solution is to disable EXPORT ciphers on all servers in the environment.

See Microsoft’s article https://support.microsoft.com/en-us/kb/245030 on how to do this on Windows computers.
The suggestion below works for Apache servers - Linux Package Servers and CEM Internet Gateway:
Add !EDH to SSLCipherSuites option in the SSL section of the Apache config file.
Example: SSLCipherSuites !EDH

Note that there is a new version of OpenSSL available in some of the ITMS pointfixes and hotfixes. For more information, see the following article:

https://support.symantec.com/en_US/article.TECH230251.html

Feedback

thumb_up Yes

thumb_down No