000029215 - Authentication Manager Express / AMX 1.0 hotfix for CVE-2014-3566/POODLE - manual instructions

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029215
Applies ToAuthentication Manager Express / AMX 1.0
IssueAMX 1.0 hotfix for CVE-2014-3566/POODLE - manual instructions
AMX Hotfix for:
AM-28570 - Limits certain ports used for https browser connections to use only TLSv1.  Addresses the POODLE vulnerability (CVE-2014-3566) associated with padding in messages encrypted by CBC ciphers under SSLv3.  This fix must be applied to all primary and replica systems.
CVE-2014-3566 is a medium-low level vulnerability (CVSSv2 score 4.3) which requires that the victim voluntarily interact with a man-in-the-middle attacker to allow them to alter the padding in messages sent via SSLv3 with CBC cipher encryption.
ResolutionTo apply the hotfix which adds a restriction requiring TLSv1 on certain ports for AMX -
  • Any version of AMX may be patched; there is no prerequisite patch level
  • Login to the AMX appliance as “emcsrv” then use:
sudo su rsaadmin
       providing the required password when requested, to become the “rsaadmin” user.
  • Go to the server directory with the command:
cd /usr/local/RSASecurity/RSAAuthenticationManager/server
  • Stop all AMX services:
./rsaserv stop all
  • Go to the wrapper directory with the command:
cd wrapper
  • Optional - Make backup copies of the files to be edited:
cp AdminServerWrapper.conf AdminServerWrapper.conf-ORIG
cp BiztierServerWrapper.conf BiztierServerWrapper.conf-ORIG
cp ConsoleServerWrapper.conf ConsoleServerWrapper.conf-ORIG
  • Carefully edit the three files (the editor “vi” is available on the appliance):
    • AdminServerWrapper.conf
    • BiztierServerWrapper.conf
    • ConsoleServerWrapper.conf
For each of the above files, locate the line beginning with “wrapper.java.additional.” which currently has the largest number following this prefix.  Add a new line starting in the first column after the previously identified line.  The new line will have the form:
  • wrapper.java.additional.NN=-Dweblogic.security.SSL.protocolVersion=TLS1
where “NN” is replaced by the next higher numeric value.
  • Make sure that the files are saved with expected changes and that the editor is closed.  Make sure that no unexpected characters are introduced.
  • Change the group and permissions for the files:
chgrp rsaadmin  AdminServerWrapper.conf BiztierServerWrapper.conf ConsoleServerWrapper.conf
chmod 755       AdminServerWrapper.conf BiztierServerWrapper.conf ConsoleServerWrapper.conf
  • Return to the server directory and restart AMX services:
cd ..
./rsaserv start all
  • Also apply the hotfix to the replica if there is one.