000029288 - SSLv3 POODLE Vulnerability (CVE-2014-3566) in RSA DCS products

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000029288
Applies ToRSA Certificate Manager 6.9 build 557 and earlier builds (Windows only)
RSA Registration Manager 6.9 build 557 and earlier builds (Windows only)
RSA Certificate Manager 6.8 build 522 and earlier builds (all platforms)
RSA Registration Manager 6.8 build 522 and earlier builds (all platforms)
RSA Validation Manager 3.2 build 200 and earlier builds (Windows only)
RSA Validation Manager 3.1 build 162 and earlier builds (Windows only)
CVE IDCVE-2014-3566
Article SummarySSLv3 protocol is vulnerable when using block cipher in CBC mode. SSLv3 uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Link to Advisorieshttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
Technical Details ExplanationTo mitigate the effects of POODLE, follow the steps provided below to disable the use of SSLv3 in RSA DCS products:
 
 ProductSteps to disable SSLv3
A)RSA Certificate Manager 6.9 build 557 and earlier builds (Windows only)RSA Certificate Manager 6.9 build 557 and earlier, on Windows, allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0. The following are the steps to allow TLS1.0 and TLS1.1 protocols:
  
   1. Open the following file:
        INSTALL_DIR/WebServer/conf/httpd.conf
  
   2. Add the following line for virtual hosts of Administration, Enrollment and Renewal Server below to the “SSLCipherSuite” directive:   
SSLProtocol all -SSLv2 -SSLv3
  
   3. Restart RSA Certificate Manager services
  
   NOTE:
   - SCEP and CRL Servers do not use SSL by default. CMP Enroll and REST Servers, if enabled, use TLSv1 by default.
   - RSA Certificate Manager 6.9 build 557 and earlier do not support TLS1.2 protocol.
B)RSA Registration Manager 6.9 build 557 and earlier builds (on Windows)RSA Registration Manager 6.9 build 557 and earlier, on Windows, allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0. The following are the steps to allow TLS1.0 and TLS1.1 protocols:
  
   1. Open the following file:
        INSTALL_DIR/WebServer/conf/httpd.conf
  
   2. Add the following line for virtual hosts of Administration, Enrollment and Renewal Server below to the “SSLCipherSuite” directive:   
SSLProtocol all -SSLv2 -SSLv3
  
   3. Restart RSA Registration Manager services
  
   NOTE:
   - SCEP Server does not use SSL by default.
   - RSA Registration Manager 6.9 build 557 and earlier do not support TLS1.2 protocol.
C)RSA Certificate Manager 6.8 build 522 and earlier builds (all platforms)RSA Certificate Manager 6.8 build 522 and earlier allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0 or upgrade to RSA Certificate Manager 6.9 build 557 and update the configuration file to use TLSv1. The following are the steps to allow TLS1.0 and TLS1.1 protocols:
  
   1. Open the following file:
        INSTALL_DIR/WebServer/conf/httpd.conf
  
   2. Add the following line for virtual hosts of Administration, Enrollment and Renewal Server below to the “SSLCipherSuite” directive:   
SSLProtocol all -SSLv2 -SSLv3
  
   3. Restart RSA Certificate Manager services
  
   NOTE:
   - SCEP and CRL Servers do not use SSL by default. 
   - RSA Certificate Manager 6.8 build 522 and earlier do not support TLS1.2 protocol.
D)RSA Registration Manager 6.8 build 522 and earlier builds (all platforms)RSA Registration Manager 6.8 build 522 and earlier allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0 or Upgrade to RSA Registration Manager 6.9 build 557 and change the configuration file to use TLSv1. The following are the steps to allow TLS1.0 and TLS1.1 protocols:
  
   1. Open the following file:
        INSTALL_DIR/WebServer/conf/httpd.conf
  
   2. Add the following line for virtual hosts of Administration, Enrollment and Renewal Server below to the “SSLCipherSuite” directive:   
SSLProtocol all -SSLv2 -SSLv3
  
   3. Restart RSA Registration Manager services
  
   NOTE:
   - SCEP Server does not use SSL by default.
   - RSA Registration Manager 6.8 build 522 and earlier do not support TLS1.2 protocol.
E)RSA Validation Manager 3.2 build 200 and earlier builds (on Windows)RSA Validation Manager v3.2 build 200 and earlier, on Windows, allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0. The following are the steps to allow TLS1.0 and TLS1.1 protocols:
  
   1. If SSL is enabled for OCSP over HTTPS, open the following file:
        INSTALL_DIR/ValidationServer/conf/httpd.conf
  
   2. Add the following line in the virtual host section below to the “SSLCipherSuite” directive:   
SSLProtocol all -SSLv2 -SSLv3
  
   3. Open the following file:
        INSTALL_DIR/ValidationServer/conf/httpd-ssl
  
   4. Add the following line right after all occurrences of the “SSLCipherSuite” directive:   
SSLProtocol all -SSLv2 -SSLv3
  
   5. Restart RSA Validation Manager services
  
   NOTE:
   - RSA Validation Manager v3.2 build 200 and earlier do not support TLS1.2 protocol.
F)RSA Validation Manager 3.1 build 162 and earlier builds (on Windows)RSA Validation Manager v3.1 build 162 and earlier, on Windows, allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0. The following are the steps to allow TLS1.0 and TLS1.1 protocols:
  
   1. If SSL is enabled for OCSP over HTTPS, open the following file:
        INSTALL_DIR/ValidationServer/conf/httpd.conf
  
   2. Add the following line in the virtual host section below to the “SSLCipherSuite” directive:   
SSLProtocol all -SSLv2 -SSLv3
  
   3. Open the following file:
        INSTALL_DIR/ValidationServer/conf/httpd-ssl
  
   4. Add the following line right after all occurrences of the “SSLCipherSuite” directive:   
SSLProtocol all -SSLv2 -SSLv3
  
   5. Restart RSA Validation Manager services
  
   NOTE:
   - RSA Validation Manager v3.1 build 162 and earlier do not support TLS1.2 protocol.

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Corporation distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes