Poodle Vulnerability CVE-2014-3566

Poodle Vulnerability CVE-2014-3566



POODLE, which stands for Padding Oracle on Downloaded Legacy Encryption, makes it possible for hackers to snoop on a user’s web browsing. The problem is an 18-year-old encryption standard, known as SSL v3, which is still used by older browsers like Internet Explorer 6. 

The changes should do in tomcat alone if OpManager using HTTPS mode.

How to protect Tomcat :

1. Stop OpManager Service.

2. Edit ssl_server.xml from \OpManager\tomcat\conf\backup folder, remove existing sslProtocols attribute and add sslEnabledProtocols="TLSv1,SSLv2Hello" in Connector XML-node.


Example:
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="WEBNMS_ROOT_DIR/conf/OPMTrans.key" keystorePass="opmanager" maxThreads="150" minSpareThreads="3" noCompressionUserAgents="gozilla, traviata" port="WEBSERVER_PORT" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,SSLv2Hello"/>

3. Edit Wrapper.conf from \OpManager\conf\ folder, add the below red entry next to this line.  

   wrapper.java.additional.13=-Djava.net.preferIPv4Stack=true

(We need to find the last number in that sequence and add a new line. It might be different in different versions)


wrapper.java.additional.14=-Dhttps.protocols=TLSv1

Example:
wrapper.java.additional.8=-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
wrapper.java.additional.9=-Djava.util.logging.config.file=tomcat/conf/logging.properties
wrapper.java.additional.10=-XX:PermSize=64m
wrapper.java.additional.11=-XX:MaxPermSize=128m
wrapper.java.additional.12=-XX:+HeapDumpOnOutOfMemoryError
wrapper.java.additional.13=-Djava.net.preferIPv4Stack=true
wrapper.java.additional.14=-Dhttps.protocols=TLSv1
4. Edit StartOpManagerServer.bat from \OpManager\bin folder, add the below red entry next to this line .\tomcat\conf\workers.properties

-Dhttps.protocols=TLSv1

Example:

%JAVA_HOME%\bin\java -cp %CLASSPATH% -Dcatalina.home=.\tomcat -XX:+HeapDumpOnOutOfMemoryError -Xms200m -Xmx400m -XX:PermSize=64m  -XX:MaxPermSize=128m -Djava.library.path=.\lib -Dwebserver.rootdir=.\tomcat -Djava.rmi.server.codebase=.\tomcat\conf\workers.properties -Dhttps.protocols=TLSv1 -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=%TOMCAT_HOME%\conf\logging.properties com.adventnet.me.opmanager.server.StartOpManagerJdbc TOMCAT_DIR .\tomcat\ ROOT_DIR . NATIVE_PING true NMS_BE_FAILOVER true

5. Restart OpManager service for the changes to take effect.  This will ensure that SSLv3 is not used by tomcat at all. 




          • Related Articles

          • CVE-2014-7866 : Fix for Remote code execution via file upload vulnerability

            Details of Vulnerability: Vulnerability: Remote code execution via file upload (unauthenticated  on OpManager and Social IT)  CVE-2014-7866  Constraints: no authentication needed for OpManager and Social IT;  authenticated in IT360  a)  POST ...
          • PGSQL:SubmitQuery.do vulnerability (CVE-2015-7765, CVE-2015-7766)

            http://seclists.org/fulldisclosure/2015/Sep/66 Vulnerability Detail: Any account that has access to the web interface with Administrator rights has the possibility to use a web form to execute SQL queries on the backend PostgreSQL instance. By ...
          • HTTP Server Prone To Slow Denial Of Service Attack(CVE-2007-6750 CVE-2012-5568)

            Few third party vulnerability scanning tools has reported that OpManager has this DOS vulnerability CVE-2007-6750 CVE-2012-5568. TOMCAT developers have mentioned that it is not a vulnerability in TOMCAT and they don't have the plans to to fix it. ...
          • Servlet Vulnerability Fix

            This fix is compatible only for build 11300(OpManager and Social IT Plus).  Please follow these steps. 1)Download the attached zip file and extract it under /OpManager 2)Stop and Start OpManager Note: This zip file contains the fix for these ...
          • SQL Injection Vulnerability FIx

            Vulnerability: Blind SQL injection (unauthenticated) Fix: Upgrade to Social IT vXXXX; OpManager vXXXX; IT360 vXXXX Constraints: no authentication needed for OpManager and Social IT; authenticated in IT360 a) POST ...