CMEW Vulnerability “SSL/TLS use of weak RC4(Arcfour) cipher” and “Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)” concerns

book

Article ID: 192172

calendar_today

Updated On:

Products

CA Endevor Software Change Manager (SCM) CA Endevor Software Change Manager - Natural Integration (SCM) CA Endevor Software Change Manager - ECLIPSE Plugin (SCM) CA Endevor Software Change Manager - Enterprise Workbench (SCM)

Issue/Introduction

The Vulnerability Team has found a high severity vulnerability “SSL/TLS use of weak RC4(Arcfour) cipherandBirthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)related to weak cipher suites on the attached servers. To eliminate this vulnerability, the team will be disabling weak ciphers suites RC4 and 3DES on the servers. 

The activity will be performed in respective server Agreed Maintenance Window and server will be rebooted.

1) What Remediation Steps will be taken from the Operating Systems team's to fix the Vulnerability ?

   Disabling weak ciphers suites RC4 & 3DES and server reboot.

2) What Remediation Steps are expected from the Apps Teams(HCL/Volvo) from the Operating System perspective.

     Apps team are requested to check if application dependency on the weak cipher suites and testing functionality once the activity is completed. Whether the application is functioning up to the mark or not.

Will these actions have any affect on  CA Change Manager Enterprise Workbech or Tomcat? 

Environment

Release : 12.0

Component : CA CM Enterprise Workbench

Resolution

The disabling of the weak cipher suites on the operating system level does not impact Tomcat and CMEW, because they use the Java's security fuctions which are indepedent of the OS.  It is recommended to validate that CMEW still works after the change simply by just logging in and ensure that the product can be accessed.