CA Endevor SCM products and POODLE Vulnerability

Document ID : KB000032435
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

Is CA Endevor or CA Change Manager Enterprise workbench affected by the POODLE vulnerability?

Answer:

The CA Endevor SCM  family of products (CA Endevor, CA Endevor - WebServices/Eclipse Plug-in, and CA Change Manager Enterprise Workbench (CMEW)) are not vulnerable to the POODLE.  However the infrastructure that we use - Apache Tomcat - under its default settings for SSL setup can potentially be vulnerable.  

POODLE is a SSL v3 protocol vulnerability. It allows attacker to downgrade SSL/TLS protocol to version SSL v3, and then break the cryptographic security (e.g. decrypt the trafic, hijack sessions, etc.).

Disable SSL V3 will mitigate this vulnerability  - adding the following attribute to SSL connector in $Tomcat_Home\config\server.xml

  • JSSE-based connector:

For older version of Tomcat 6:  sslProtocol = “TLSv1,TLSv1.1,TLSv1.2”

For Tomcat 6.0.43 onwards and Tomcat 7:   sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

  • APR-based connector:

SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"