CA Endevor SCM products and POODLE Vulnerability

book

Article ID: 32435

calendar_today

Updated On:

Products

CA Endevor Software Change Manager (SCM) CA Endevor Software Change Manager - Natural Integration (SCM) CA Endevor Software Change Manager - ECLIPSE Plugin (SCM) CA Endevor Software Change Manager - Enterprise Workbench (SCM)

Issue/Introduction

Question:

Is CA Endevor or CA Change Manager Enterprise workbench affected by the POODLE vulnerability?

Answer:

The CA Endevor SCM  family of products (CA Endevor, CA Endevor - WebServices/Eclipse Plug-in, and CA Change Manager Enterprise Workbench (CMEW)) are not vulnerable to the POODLE.  However the infrastructure that we use - Apache Tomcat - under its default settings for SSL setup can potentially be vulnerable.  

POODLE is a SSL v3 protocol vulnerability. It allows attacker to downgrade SSL/TLS protocol to version SSL v3, and then break the cryptographic security (e.g. decrypt the trafic, hijack sessions, etc.).

Disable SSL V3 will mitigate this vulnerability  - adding the following attribute to SSL connector in $Tomcat_Home\config\server.xml

  • JSSE-based connector:

For older version of Tomcat 6:  sslProtocol = “TLSv1,TLSv1.1,TLSv1.2”

For Tomcat 6.0.43 onwards and Tomcat 7:   sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

  • APR-based connector:

SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Environment

Release:
Component: ENTCCM