Remediation steps to secure CA Business Intelligence (CABI) from POODLE Vulnerability (CVE-2014-3566)

Document ID : KB000029120
Last Modified Date : 14/02/2018
Show Technical Document Details

DESCRIPTION

CA Technologies is investigating a medium risk vulnerability (NVD) with SSL (Secure Sockets Layer) version 3 that was publicly disclosed on October 14, 2014, and is being referred to as the "POODLE" issue (Padding Oracle On Downgraded Legacy Encryption). This is a general vulnerability, not a CA product issue. More details can be found here CVE-2014-3566.  

SOLUTION

Customers who have configured CA Business Intelligence (CABI) over HTTPS protocol need to disable SSL V3.

Following are the steps to disable SSLV3 for CABI web servers:

Tomcat

  • Modify the Tomcat configuration file 'server.xml' and locate the following snippet:    

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"  maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />

  • When using CABI 3.2, CABI 3.2 SP4 or CABI 3.3, add below attribute to the above snippet in server.xml for the SSL connector:

    sslProtocols="TLSv1,TLSv1.1,TLSv1.2"

  •  When using CABI 3.3 SP1 or CABI 3.3 SP2, add below attribute to the above snippet in server.xml for the SSL connector:

            sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

  •  Restart the CABI Tomcat server for the changes to take effect

Note: This POODLE vulnerability does not affect SSL implementation in CORBA. So, if SSL Protocol was implemented via the Server Intelligence Agent's Protocols tab, that component will not be affected by the vulnerability.