CVE-2009-3555 - SSLv3/TLS Renegotiation Stream Injection and relation to xFlow/Service Point
search cancel

CVE-2009-3555 - SSLv3/TLS Renegotiation Stream Injection and relation to xFlow/Service Point

book

Article ID: 246827

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager

Issue/Introduction

The following vulnerability was found in the latest vulnerability scan:

Patches must be applied to the underlying web server and ssl library. While many sites completely disable the renegotiation feature, it is advised to patch instead because clients can’t tell the difference otherwise between vulnerable or patched server and may completely refuse to connect to such a server.

Further, the server should reject client-initiated renegotiation requests as it may assist in a denial of service (DoS) attack against the server. Establishing encrypted SSL connection is a computationally expensive task. Most firewalls and DoS prevention tools watch for connection rate among other parameters. The renegotiation feature allows attacker to repeatedly send multiple connection reestablishment requests over a single TCP connection avoiding detection by DoS prevention tools.

Question is if ServiceDesk and xFlow are impacted

Environment

Release : 17.3

Component : SDM - Vulnerability

Resolution

the described vulnerability is an SSL/TLS renegotiation issue that occurs during the SSL handshake between the browser and the web server.  SDM/xFlow are not involved.  We do not handle any SSL renegotiations.

The above vulnerability does not apply to SDM/xFlow.  

Additional Information

According to the following pages, the Akka HTTP Server (used in xFlow) is not listed as vulnerable for the CVE-2009-3555.  Also, in the page for the Akka vulnerabilities, the CVE is not listed either.

https://www.cvedetails.com/product/40771/Akka-Http-Server.html?vendor_id=16757
https://www.cvedetails.com/cve-details.php?cve_id=CVE-2009-3555