POODLE vulnerability in SSLv3

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain clear text data via a padding-oracle attack, aka the "POODLE" issue.

SSL 3.0 [RFC6101] is an obsolete and insecure protocol. For most practical purposes it has been replaced by its successors TLS 1.0 [RFC2246], TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246].

Impact on NAM

NAM components may use SSL v3 (intentionally or unintentionally) if HTTPS connection is enabled:

  • To secure browsing between the user's web browser and NAM Server (old CAS/ADS), or Enterprise Portal web interface.
  • To secure data communication channel between the NAM Probe (old AMD) and the report server NAM Probe for data upload.

Several components of specific NAM releases may be impacted. Refer to the table below for more information.

In case of impacted NAM component solution is to disable use of SSLv3 in favor of more secure protocol such as TLS.

See below for component-specific details.

NAM Server

Vulnerability: [ POSSIBLE ]

Affected systems are those with SSL web connector (HTTPS) enabled  and non-default setting for SSL connector allowing SSLv3.

To check whether a NAM Server (old CAS/ADS) is affected:

Check your NAM Server (old CAS/ADS) server configuration

Open on NAM Server (old CAS/ADS):
C:\Program Files\Compuware\<INST_DIR>\config\common.properties

and check if:

connector.ssl.enabled=true

and

connector.ssl.SSLProtocol=TLSv1+SSLv3

or

connector.ssl.SSLProtocol=ALL

If SSLv3 was enabled directly or indirectly (via "ALL" protocol option), disable SSLv3:

  1. Change this setting in common.properties configuration file:
   connector.ssl.SSLProtocol=TLSv1
  1. Restart NAM Server (old CAS/ADS) server

NAM Probe

Vulnerability status = [ POSSIBLE ]

Affected systems are those with SSL communication enabled between NAM Server and other NAM components, Console or Dynatrace server) and non-default setting for SSL connector allowing SSLv3.

Here is a way to check if a AMD is impacted:

Open /usr/adlex/config/rtm.config and check if:

https.port=443

(or other port number different than zero) and:

rtmgate.sslVersion=SSLv3

If https.port=0 then secure data transfer is not enabled.
If it is impacted disable use of SSLv3 (no need to make changes if TLSv1 is already enabled).

  1. Change this setting in /usr/adlex/config/rtm.config config file:
rtmgate.sslVersion=TLSv1
  1. Restart RtmGate process on AMD:
service rtmgate restart

NAM Console

Vulnerability status = [ YES ]

NAM Console is vulnerable in two ways.

  1. Versions older than 12.2.2 only - HTTPS communication between RUM Console client (either standalone RUM Console client application or using RUM Console Web Start launched from CAS main menu). Default port is TCP/4183. Although the use of SSLv3 cannot be disabled completely on RUM Console server at this moment, it is possible to disable use of the CBC encryption schema in SSLv3 on RUM Console server, that is to disable the Poodle vulnerable area of the RUM Console server.

Here are steps to disable CBC encryption schema in NAM Console.

  • Make a backup of Console $INSTALL_DIRECTORY\cva\eclipse\workspace\configuration\jetty\jetty.xml file
  • Edit Console $INSTALL_DIRECTORY\cva\eclipse\workspace\configuration\jetty\jetty.xml file
  • Add below list of excluded Cipher Suites to the org.mortbay.jetty.security.SslSocketConnector section in the jetty.xml configuration file:

Example:

and

  • Extra step for RUM Consoles in version < 12.2 GA

    Replace keystore file: Console $INSTALL_DIRECTORY\cva\eclipse\workspace\configuration\keystore with the attached one (unzip it first).

  • Restart "NAM Console" Windows service

  1. HTTPS connection between the NAM Console server and CBA agent on the NAM Probe (old AMD) (Guided Configuration).
    Below changes are to be made on NAM Probe (old AMD)

    1. Edit /usr/adlex/config/cba-agent.jms.properties
    2. Append to jms.external.context this setting:
      &transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
    3. Restart all NAM Probe processes:
      ndstop ndstart

    The jms.external.content section should look like this:

    jms.external.context=?needClientAuth=false&soTimeout=60000&transport.enabledCipherSuites=SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2

Enterprise portal

Vulnerability status = [ YES ]

APMOEPM-1762

To mitigate this vulnerability in EP when it is configured for HTTPS, follow these steps:

  • Make a backup of the file server.xml located in the $INSTALL_DIRECTORY\Tomcat\Conf\ folder.
  • In server.xml, find the "<Connector" node and replace the string sslProtocol="TLS" with sslProtocols="TLSv1, TLSv1.1, TLSv1.2". Note that the "sslProtocols" in the new string is plural. The result should look something like this with the appropriate keystore information:

<Connector URIEncoding="UTF-8" port="8443" protocol="HTTP/1.1" SSLEnabled="true" emptySessionPath="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocols="TLSv1, TLSv1.1, TLSv1.2" keystoreFile="c:\sslkey\portalstore.jks"
keystorePass="password" />

  • Restart "Compuware Enterprise Portal" Service

Enterprise Synthetic

Vulnerability status = [ POSSIBLE ]

By default, Synthetic Monitoring uses non-secure (HTTP) communication between web services and is not affected  by this vulnerability unless  it is configured to use secure communication.

In 12.2 and earlier releases of Synthetic Monitoring, if configured for secure (HTTPS) communication between the web services or with the CAS, the web services use SSLv3 protocol. If configured to monitor a secure URL, the Agent's Autocheck could only connect if the server was using SSLv3. If the server was using TLS, the Autocheck would not connect in 12.2 and earlier releases.

Consequently, a patch is available to enable the use of TLSv1 instead of SSLv3 for the following 12.1.0, 12.1.1, and 12.2.0 components and services:

  • Compuware Synthetic Monitoring Manager
  • Compuware Synthetic Monitoring Agent Manager Web Service
  • Compuware Synthetic Monitoring Agent Web Service
  • Agent Autocheck monitor

By default, VantageView uses non-secure (HTTP) communication for its web services and is not affected by the POODLE vulnerability unless configured to use secure communication. Follow Microsoft’s instructions to disable SSLv3 on Windows, including Internet Information Services (IIS) at https://technet.microsoft.com/en-us/library/security/3009008.aspx .

Dynatrace Network Analyzer (DNA)

Vulnerability status = [ NO ]

By default, Transaction Trace / Dynatrace Network Analyzer (DNA) uses non-secure (HTTP) communication with one of its components and is not affected by this vulnerability unless  it is configured to use secure communication. In order to ensure the environment is not affected, please check if Trace Trimmer is configured to connect over HTTP.

References