ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Does the OpenSSL vulnerability issue CVE-2015-4000 affect the ITMS versions 7.5 or 7.6, and if so then how to mitigate the affect?

book

Article ID: 162027

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

A new OpenSSL vulnerability issue is found and it is described in the following articles:

Cause

Note that this issue affects ITMS 7.5 and ITMS 7.6 in scenarios where Symantec Management Agent is establishing HTTPS connection to a server that supports EXPORT ciphers.
  • According to the Microsoft's "Cipher Suites in Schannel" article, EXPORT ciphers are disabled by default on Windows 2008 and newer, but administrators may want to double-check that they were not enabled manually.
  • The site servers that are installed on Windows 2003 or Linux platform with Apache 2.2 may be affected, because Apache 2.2 default configuration enables EXPORT ciphers. (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite)
  • CEM Internet gateway is affected by this issue as it is using Apache 2.2.

Resolution

The solution is to disable EXPORT ciphers on all servers in the environment.
  • See Microsoft’s article https://support.microsoft.com/en-us/kb/245030 on how to do this on Windows computers.
  • The suggestion below works for Apache servers - Linux Package Servers and CEM Internet Gateway:
    Add !EDH to SSLCipherSuites option in the SSL section of the Apache config file.
    Example: SSLCipherSuites !EDH
Note that there is a new version of OpenSSL available in some of the ITMS pointfixes and hotfixes. For more information, see the following article: