Remediation Steps to Secure CA Service Desk Manager from POODLE Vulnerability (CVE-2014-3566)

Document ID : KB000029169
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

CA Technologies is investigating a medium risk vulnerability (NVD) with SSL (Secure Sockets Layer) version 3 that was publicly disclosed on October 14, 2014 and is being referred to as the "POODLE" issue (Padding Oracle On Downgraded Legacy Encryption). This is a general vulnerability, not a CA product issue. More details can be found here CVE-2014-3566.  

Solution

Customers who have configured CA Service Desk Manager over HTTPS protocol need to disable SSL V3. Following are the steps to disable SSLV3 for web servers:

Tomcat:

  1. On the CA Service Desk Manager server, modify the Tomcat configuration file 'server.xml' and locate the following snippet:    
        <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"  maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
  2. Change it to:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2">
  3. The configuration file server.xml can be found under following paths:
    1. $NX_ROOT\bopcfg\www\CATALINA_BASE\conf
    2. $NX_ROOT\bopcfg\www\CATALINA_BASE_FS\conf
    3. $NX_ROOT\bopcfg\www\CATALINA_BASE_REST\conf
    4. $NX_ROOT\bopcfg\www\CATALINA_BASE_SA\conf
    5. $NX_ROOT\bopcfg\www\CATALINA_BASE_VIZ\conf
  4. If it is a conventional setup, please make the change on the Primary and all secondary servers. If it is Advanced Availability setup, make the changes on Background server, all Standby servers and all Application servers.

 

Note:

A) For CA Open Space or CA Unified Self Service, modify the server.xml as per step#2, the configuration file server.xml can be found under following path:

{INSTALL_DIR}\OSOP\tomcat-xxx\conf where 'INSTALL_DIR' refers to the Open Space Installation Directory.

B) For certain Tomcat installs, success was seen when implementing below option instead of the string suggested in Step#2 above:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false"  sslProtocols="TLSv1,TLSv1.1,TLSv1.2">

 

IIS:

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:
     
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
    Note: If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK. 
  6. Note If this value is present, double-click the value to edit its current value.
  7. In the Edit DWORD (32-bit) Value dialog box, type 0.
  8. Click OK. Restart the computer.

Customers having CA Embedded Entitlements Manager configured with CA Service Desk Manager need to do following additional steps:

 

Embedded Entitlements Manager

EEM Server/Igateway has the SSLv23 as the default protocol (i.e it can support SSL2, SSL3 and TLSv1 protocols). EEM CPP SDK also has the SSLv23 as the default protocol. EEM Java SDK is by default uses the TLSv1 protocol. However, these protocols at EEM SDK and the server side are configurable as follows.

  1. In EEM SDK config file (<NX_ROOT>/pdmconf/eiam.config) , in iTechSDK tab for C++, update the following
    <TransportConfig>
         <!--possible values are SSLV23 /SSLV3/TLSV1-->
        <secureProtocol>TLSV1</secureProtocol>
    </TransportConfig>
  2. On the EEM server, in igateway.conf file under <Connector name="defaultport"> tag,   set the protocol to TLSV1                <secureProtocol>TLSV1</secureProtocol>

iTechnology

  1. In igateway.conf, under <Connector name="defaultport"> tag,   set the protocol to TLSV1

                <secureProtocol>TLSV1</secureProtocol>

 

Reference: http://wiki.apache.org/tomcat/Security/POODLE