CA Technologies is investigating a medium risk vulnerability (NVD) with SSL (Secure Sockets Layer) version 3 that was publicly disclosed on October 14, 2014 and is being referred to as the "POODLE" issue (Padding Oracle On Downgraded Legacy Encryption). This is a general vulnerability, not a CA product issue. More details can be found here CVE-2014-3566.
Release: SDMU0M99000-14.1-Service Desk Manager-Full License
Customers who have configured CA Service Desk Manager over HTTPS protocol need to disable SSL V3. Following are the steps to disable SSLV3 for web servers:
Tomcat:
Note:
A) For CA Open Space or CA Unified Self Service, modify the server.xml as per step#2, the configuration file server.xml can be found under following path:
{INSTALL_DIR}\OSOP\tomcat-xxx\conf where 'INSTALL_DIR' refers to the Open Space Installation Directory.
B) For certain Tomcat installs, success was seen when implementing below option instead of the string suggested in Step#2 above:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2">
IIS:
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
Customers having CA Embedded Entitlements Manager configured with CA Service Desk Manager need to do following additional steps:
Embedded Entitlements Manager
EEM Server/Igateway has the SSLv23 as the default protocol (i.e it can support SSL2, SSL3 and TLSv1 protocols). EEM CPP SDK also has the SSLv23 as the default protocol. EEM Java SDK is by default uses the TLSv1 protocol. However, these protocols at EEM SDK and the server side are configurable as follows.
iTechnology
<secureProtocol>TLSV1</secureProtocol>
Reference: https://cwiki.apache.org/confluence/display/CXF/Security+Advisories
Bar Mitzvah & Sweet32:
===================
In order to disable RC4 for the 'Bar Mitzvah' vulnerability, you need to add the following ciphers string to the Connector port=""8443"" entry in the server.xml file in 'NX_ROOT\bopcfg\www\CATALINA_BASE\conf' ciphers=""TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA""
This needs to be further disabled from the OS Side. Refer to the following link: http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx See the following on the SWEET32 vulnerability: https://bobcares.com/blog/how-to-fix-sweet32-birthday-attacks-vulnerability-cve-2016-2183/3/ Seems that it should be addressed at the Windows level.