Poodle Vulberability Fix

Poodle Vulberability Fix

The problem is an 18-year-old encryption standard, known as SSL v3, which is still used by older browsers like Internet Explorer 6.

The changes should do in tomcat alone if NetFlow Analyzer using HTTPS mode.

How to protect Tomcat :

1. Stop NetFlow Analyzer Service.

2. Edit server.xml from \NetFlow\conf folder, remove existing sslProtocols attribute and add sslProtocols="TLSv1" and sslEnabledProtocols="TLSv1.2" in Connector XML-node and the chiper ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"


Example:

    <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/server.keystore" keystorePass="netflow" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocols="TLSv1"  sslEnabledProtocols="TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"/>


3. Edit Wrapper.conf from \NetFlow\conf\ folder, add the entry "-Dhttps.protocols=TLSv1.2"

   wrapper.java.additional.<count+1>=-Dhttps.protocols=TLSv1.2

(We need to find the last number in that sequence and add a new line. It might be different in different versions)


wrapper.java.additional.14=-Dhttps.protocols=TLSv1.2

Example:

wrapper.java.additional.14=-XX:PermSize=128m
wrapper.java.additional.15=-XX:MaxPermSize=128m
wrapper.java.additional.16=-Dsun.net.client.defaultReadTimeout=20000
wrapper.java.additional.17=-Dsun.net.client.defaultConnectTimeout=6000
wrapper.java.additional.18=-Dhttps.protocols=TLSv1.2

4. Edit run.bat\sh from \NetFlow\bin folder, add the below red entry next to this line -Dserver.home="%SERVER_HOME%"

-Dhttps.protocols=TLSv1.2

Example:

   set JAVA_OPTS= -Xms256m -Xmx512m -Dcatalina.home="%SERVER_HOME%" -Dserver.home="%SERVER_HOME%" -Dhttps.protocols=TLSv1.2 -Djava.util.logging.config.file="%SERVER_HOME%\conf\logging.xml" -Dlog.dir="%SERVER_HOME%" -Ddb.home="%DB_HOME%" -Djava.library.path="%SERVER_HOME%\lib\native" -Duser.language="en" -Dfile.encoding="ISO-8859-1" -Djava.util.logging.manager="org.apache.juli.ClassLoaderLogManager" -Djava.util.logging.config.file="%SERVER_HOME%/conf/logging.properties" -Duser.home="%SERVER_HOME%/logs


5. Restart NetFlow Analyzer service for the changes to take effect.  This will ensure that SSLv3 is not used by tomcat at all.
          • Related Articles

          • Consolidated FIX for NFAPlugin-10250

            Note: This can be done with NetFlow Analyzer build 10250 only. Take the backup of the files before replacing. The consolidated fix is available over 10250 which includes : 1) Alert Profile query optimization 2) Custom DashBoard Report 3) Application ...
          • Consolidated Fix for Build 11001

            Note: This can be done with NetFlow Analyzer build 11001 only. Take the backup of the files before replacing. For Distributed Edition, make sure to follow the steps in Central and Collector servers. Download the Fix from the below link, it contains ...
          • Consolidated fix for NetFlow Analyzer Build 10250 for Stand Alone

            Note: This can be done with NetFlow Analyzer build 10250 only. Take the backup of the files before replacing. For Distributed Edition, make sure to follow the steps in Central and Collector servers. The consolidated fix is available over 10250 which ...
          • Fix for Modifying IPGroup with Special Character over the build 10250

            Please follow the below steps and and check on the issue. Note: This fix can be only applied over the build 10250 of NetFlow Analyzer. ...
          • FIX for NFA-10250 for ASA issue and OUT traffic not shown for devices

            This Patch is applicable only over the NetFlow Analyzer build 10250 Please download and unzip the patch file from the below link: https://uploads.zohocorp.com/Internal_Useruploads/dnd/NetFlow_Analyzer/o_19uprk25h3r21ci71tru24t1ule1/Fix.zip It ...