SSLv3 POODLE Vulnerability (CVE-2014-3566) in RSA DCS products

2 years ago

Originally Published: 2014-12-29

Article Number

000063402

Applies To

RSA Certificate Manager 6.9 build 557 and earlier builds (Windows only)
RSA Registration Manager 6.9 build 557 and earlier builds (Windows only)
RSA Certificate Manager 6.8 build 522 and earlier builds (all platforms)
RSA Registration Manager 6.8 build 522 and earlier builds (all platforms)
RSA Validation Manager 3.2 build 200 and earlier builds (Windows only)
RSA Validation Manager 3.1 build 162 and earlier builds (Windows only)

CVE Identifier(s)

CVE-2014-3566

Article Summary

SSLv3 protocol is vulnerable when using block cipher in CBC mode. SSLv3 uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Link to Advisories

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

Alert Impact Explanation

To mitigate the effects of POODLE, follow the steps provided below to disable the use of SSLv3 in RSA DCS products:

	Product	Steps to disable SSLv3
A)	RSA Certificate Manager 6.9 build 557 and earlier builds (Windows only)	RSA Certificate Manager 6.9 build 557 and earlier, on Windows, allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0. The following are the steps to allow TLS1.0 and TLS1.1 protocols: 1. Open the following file: INSTALL_DIR/WebServer/conf/httpd.conf 2. Add the following line for virtual hosts of Administration, Enrollment and Renewal Server below to the “SSLCipherSuite” directive: SSLProtocol all -SSLv2 -SSLv3 3. Restart RSA Certificate Manager services NOTE: - SCEP and CRL Servers do not use SSL by default. CMP Enroll and REST Servers, if enabled, use TLSv1 by default. - RSA Certificate Manager 6.9 build 557 and earlier do not support TLS1.2 protocol.
B)	RSA Registration Manager 6.9 build 557 and earlier builds (on Windows)	RSA Registration Manager 6.9 build 557 and earlier, on Windows, allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0. The following are the steps to allow TLS1.0 and TLS1.1 protocols: 1. Open the following file: INSTALL_DIR/WebServer/conf/httpd.conf 2. Add the following line for virtual hosts of Administration, Enrollment and Renewal Server below to the “SSLCipherSuite” directive: SSLProtocol all -SSLv2 -SSLv3 3. Restart RSA Registration Manager services NOTE: - SCEP Server does not use SSL by default. - RSA Registration Manager 6.9 build 557 and earlier do not support TLS1.2 protocol.
C)	RSA Certificate Manager 6.8 build 522 and earlier builds (all platforms)	RSA Certificate Manager 6.8 build 522 and earlier allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0 or upgrade to RSA Certificate Manager 6.9 build 557 and update the configuration file to use TLSv1. The following are the steps to allow TLS1.0 and TLS1.1 protocols: 1. Open the following file: INSTALL_DIR/WebServer/conf/httpd.conf 2. Add the following line for virtual hosts of Administration, Enrollment and Renewal Server below to the “SSLCipherSuite” directive: SSLProtocol all -SSLv2 -SSLv3 3. Restart RSA Certificate Manager services NOTE: - SCEP and CRL Servers do not use SSL by default. - RSA Certificate Manager 6.8 build 522 and earlier do not support TLS1.2 protocol.
D)	RSA Registration Manager 6.8 build 522 and earlier builds (all platforms)	RSA Registration Manager 6.8 build 522 and earlier allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0 or Upgrade to RSA Registration Manager 6.9 build 557 and change the configuration file to use TLSv1. The following are the steps to allow TLS1.0 and TLS1.1 protocols: 1. Open the following file: INSTALL_DIR/WebServer/conf/httpd.conf 2. Add the following line for virtual hosts of Administration, Enrollment and Renewal Server below to the “SSLCipherSuite” directive: SSLProtocol all -SSLv2 -SSLv3 3. Restart RSA Registration Manager services NOTE: - SCEP Server does not use SSL by default. - RSA Registration Manager 6.8 build 522 and earlier do not support TLS1.2 protocol.
E)	RSA Validation Manager 3.2 build 200 and earlier builds (on Windows)	RSA Validation Manager v3.2 build 200 and earlier, on Windows, allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0. The following are the steps to allow TLS1.0 and TLS1.1 protocols: 1. If SSL is enabled for OCSP over HTTPS, open the following file: INSTALL_DIR/ValidationServer/conf/httpd.conf 2. Add the following line in the virtual host section below to the “SSLCipherSuite” directive: SSLProtocol all -SSLv2 -SSLv3 3. Open the following file: INSTALL_DIR/ValidationServer/conf/httpd-ssl 4. Add the following line right after all occurrences of the “SSLCipherSuite” directive: SSLProtocol all -SSLv2 -SSLv3 5. Restart RSA Validation Manager services NOTE: - RSA Validation Manager v3.2 build 200 and earlier do not support TLS1.2 protocol.
F)	RSA Validation Manager 3.1 build 162 and earlier builds (on Windows)	RSA Validation Manager v3.1 build 162 and earlier, on Windows, allow the use of SSLv3 with a block cipher with CBC mode of operation. Update the configuration file httpd.conf to use TLSv1 protocol and disallow SSL3.0. The following are the steps to allow TLS1.0 and TLS1.1 protocols: 1. If SSL is enabled for OCSP over HTTPS, open the following file: INSTALL_DIR/ValidationServer/conf/httpd.conf 2. Add the following line in the virtual host section below to the “SSLCipherSuite” directive: SSLProtocol all -SSLv2 -SSLv3 3. Open the following file: INSTALL_DIR/ValidationServer/conf/httpd-ssl 4. Add the following line right after all occurrences of the “SSLCipherSuite” directive: SSLProtocol all -SSLv2 -SSLv3 5. Restart RSA Validation Manager services NOTE: - RSA Validation Manager v3.1 build 162 and earlier do not support TLS1.2 protocol.

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Corporation distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles