VIP Self Service Portal IdP Proxy development has ended with version 9.7. Further releases or updates are not planned. Symantec recommends using an alternative proxy solution for the self-service portal. The SSP IdP Proxy 9.7 will still work with VIP Enterprise Gateway 9.7, and 9.8 with limited features.

VIP Self Service Portal IdP Proxy

This component of Enterprise Gateway is deployed in the DMZ and is applicable when:

• The end-users are accessing the VIP Self Service portal outside of your corporate network
• You have applications that are integrated with VIP JavaScript to enable Intelligent Authentication, Access Push, or Registered Computer functionality.

Security Fixes

• VIP Self –Service Portal IdP Proxy 9.7
• VIP Self Service IdP Proxy 9.6.1
• VIP Self-Service Portal IdP Proxy (9.0, 9.1, 9.2, 9.3, 9.4, 9.5)
• VIP Enterprise Gateway

VIP Self –Service Portal IdP Proxy 9.7

Sweet32 Vulnerability:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183 

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple-DES in CBC mode, aka a "Sweet32" attack.

Resolution for VIP Self Service Portal IdP Proxy version 9.7

Complete the following procedures on the machine hosting the Self Service Portal IdP Proxy to update the component.

1. Stop the VIP Self Service IdP Proxy service.
   • On Windows, use the Services panel.
   • On Linux, run the jetty stop command:
     ./jetty.sh  stop
2. Create a backup copy of the current jetty.xml file located in the <SSP_PROXY_INSTALLATION>/server/etc/ folder.
3. Edit jetty.xml and search for the following string 
   <Item>SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
4. Add the following lines after it:​
   <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item>​
<Item>SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
5. Start the VIP Self Service IdP Proxy service.
   1. On Windows, use the Services panel.
   2. On Linux, run the jetty start command:
       ./jetty.sh start

VIP Self Service IdP Proxy 9.6.1

Sweet32 Vulnerability:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple-DES in CBC mode, aka a "Sweet32" attack.

RC4 Bar Mitzvah Vulnerability:

Security researchers have found a vulnerability (nicknamed RC4 Bar Mitzvah) that exploits a weakness in the older, less secure RC4 encryption algorithm option in SSL/TLS, which is still supported in many browsers and servers.

You should install this update if you are running the following:
VIP Enterprise Gateway 9.6.1 (VIP Self Service IDP Proxy) on Windows and Linux platforms

Note:  The communication from the VIP Enterprise Gateway to the corporate user store may also be vulnerable if the channel is protected with TLS. However, because clients other than the VIP Enterprise Gateway also access the corporate user store, Symantec recommends that you disable the specific cipher in TLS protocol on the user store. You must follow the solution provided by your LDAP server vendor for the remediation details.

Resolution for VIP Self Service Portal IdP Proxy version 9.6.1

Complete the following procedures on the machine hosting the Self Service Portal IdP Proxy to update the component.

1. Stop the VIP Self Service IdP Proxy service.
   1. On Windows, use the Services panel.
   2. On Linux, run the jetty stop command:
      ./jetty.sh  stop
       
2. Back up the jetty.xml from the <SSP_PROXY_INSTALLATION>/server/etc/ folder.
    
3. Edit jetty.xml and search for the following string
   <Item>TLS_KRB5_WITH_DES_CBC_SHA</Item>
3. Add the following lines after it:
   <Item>TLS_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>TLS_RSA_WITH_RC4_128_MD5</Item>
<Item>TLS_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
<Item>TLS_DH_anon_WITH_RC4_128_MD5</Item>
<Item>TLS_KRB5_WITH_RC4_128_SHA</Item>
<Item>TLS_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_DHE_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_RSA_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDHE_PSK_WITH_RC4_128_SHA</Item>
<Item>TLS_ECDH_anon_WITH_RC4_128_SHA</Item>
<Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item>
<Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
<Item>TLS_KRB5_WITH_RC4_128_MD5</Item>
<Item>TLS_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>

Note:  The jetty.xml file might have excluded a few cipher suites depending on the version of the product. Append only those missing from the above list.

4. Start the VIP Self Service IdP Proxy service.
   1. On Windows, use the Services panel.
   2. On Linux, run the jetty start command:
       ./jetty.sh start

VIP Self-Service Portal IdP Proxy (9.0, 9.1, 9.2, 9.3, 9.4, 9.5)

If you are using an older version of VIP Self-Service Portal IdP proxy, Symantec recommends you to update the VIP Self-Service Portal IdP proxy to version 9.7 or higher.

VIP Enterprise Gateway

For fixing the security vulnerabilities in VIP Enterprise Gateway, refer to

https://knowledge.symantec.com/uk/support/ua-support/index?page=content&id=SO28541