Remediation Steps to Secure CA Service Desk Manager from POODLE Vulnerability (CVE-2014-3566)
search cancel

Remediation Steps to Secure CA Service Desk Manager from POODLE Vulnerability (CVE-2014-3566)

book

Article ID: 29169

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager CA Service Desk Manager

Issue/Introduction

CA Technologies is investigating a medium risk vulnerability (NVD) with SSL (Secure Sockets Layer) version 3 that was publicly disclosed on October 14, 2014 and is being referred to as the "POODLE" issue (Padding Oracle On Downgraded Legacy Encryption). This is a general vulnerability, not a CA product issue. More details can be found here CVE-2014-3566.  

 

Environment

Release: SDMU0M99000-14.1-Service Desk Manager-Full License

Resolution

Customers who have configured CA Service Desk Manager over HTTPS protocol need to disable SSL V3. Following are the steps to disable SSLV3 for web servers:

Tomcat:

  1. On the CA Service Desk Manager server, modify the Tomcat configuration file 'server.xml' (located in NX_ROOT\bopcfg\www\CATALINA_BASE\conf\) and locate the following snippet:    
        <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"  maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
  2. Change it to:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2">
  3. The configuration file server.xml can be found under following paths:
    1. $NX_ROOT\bopcfg\www\CATALINA_BASE\conf
    2. $NX_ROOT\bopcfg\www\CATALINA_BASE_FS\conf
    3. $NX_ROOT\bopcfg\www\CATALINA_BASE_REST\conf
    4. $NX_ROOT\bopcfg\www\CATALINA_BASE_SA\conf
    5. $NX_ROOT\bopcfg\www\CATALINA_BASE_VIZ\conf
  4. If it is a conventional setup, please make the change on the Primary and all secondary servers. If it is Advanced Availability setup, make the changes on Background server, all Standby servers and all Application servers.

 

Note:

A) For CA Open Space or CA Unified Self Service, modify the server.xml as per step#2, the configuration file server.xml can be found under following path:

{INSTALL_DIR}\OSOP\tomcat-xxx\conf where 'INSTALL_DIR' refers to the Open Space Installation Directory.

B) For certain Tomcat installs, success was seen when implementing below option instead of the string suggested in Step#2 above:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false"  sslProtocols="TLSv1,TLSv1.1,TLSv1.2">

 

IIS:

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:
     
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
    Note: If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK. 
  6. Note If this value is present, double-click the value to edit its current value.
  7. In the Edit DWORD (32-bit) Value dialog box, type 0.
  8. Click OK. Restart the computer.

Customers having CA Embedded Entitlements Manager configured with CA Service Desk Manager need to do following additional steps:

 

Embedded Entitlements Manager

EEM Server/Igateway has the SSLv23 as the default protocol (i.e it can support SSL2, SSL3 and TLSv1 protocols). EEM CPP SDK also has the SSLv23 as the default protocol. EEM Java SDK is by default uses the TLSv1 protocol. However, these protocols at EEM SDK and the server side are configurable as follows.

  1. In EEM SDK config file (<NX_ROOT>/pdmconf/eiam.config) , in iTechSDK tab for C++, update the following
    <TransportConfig>
         <!--possible values are SSLV23 /SSLV3/TLSV1-->
        <secureProtocol>TLSV1</secureProtocol>
    </TransportConfig>
  2. On the EEM server, in igateway.conf file under <Connector name="defaultport"> tag,   set the protocol to TLSV1                <secureProtocol>TLSV1</secureProtocol>

iTechnology

  1. In igateway.conf, under <Connector name="defaultport"> tag,   set the protocol to TLSV1

                <secureProtocol>TLSV1</secureProtocol>

 

Reference: https://cwiki.apache.org/confluence/display/CXF/Security+Advisories

Additional Information

Bar Mitzvah & Sweet32:
===================

In order to disable RC4 for the 'Bar Mitzvah' vulnerability, you need to add the following ciphers string to the Connector port=""8443"" entry in the server.xml file in 'NX_ROOT\bopcfg\www\CATALINA_BASE\conf' ciphers=""TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA"" 
This needs to be further disabled from the OS Side. Refer to the following link: http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx See the following on the SWEET32 vulnerability: https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/3/ Seems that it should be addressed at the Windows level.
Powered by Wolken Software