Question:
Is CA Endevor or CA Change Manager Enterprise workbench affected by the POODLE vulnerability?
Answer:
The CA Endevor SCM family of products (CA Endevor, CA Endevor - WebServices/Eclipse Plug-in, and CA Change Manager Enterprise Workbench (CMEW)) are not vulnerable to the POODLE. However the infrastructure that we use - Apache Tomcat - under its default settings for SSL setup can potentially be vulnerable.
POODLE is a SSL v3 protocol vulnerability. It allows attacker to downgrade SSL/TLS protocol to version SSL v3, and then break the cryptographic security (e.g. decrypt the trafic, hijack sessions, etc.).
Disable SSL V3 will mitigate this vulnerability - adding the following attribute to SSL connector in $Tomcat_Home\config\server.xml
For older version of Tomcat 6: sslProtocol = “TLSv1,TLSv1.1,TLSv1.2”
For Tomcat 6.0.43 onwards and Tomcat 7: sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"