ZENworks Configuration Management Security Announcement: CVE-2014-3566 'POODLE' weakness in the SSL protocol

  • 7015826
  • 23-Oct-2014
  • 20-Jul-2015

Environment

Novell ZENworks Configuration Management 11.3
Novell ZENworks Configuration Management 11.2

Situation

SSLv3 Fallback Protection “POODLE” vulnerability (CVE-2014-3566)

Severity: Medium

Version: OpenSSL 1.0.1, 1.0.0, 0.9.8

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt cipher text using a padding oracle side-channel attack.

OpenSSL Description: "Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE."

All products using OpenSSL version 1.0.1, 1.0.0, 0.9.8 are impacted.

Resolution

Note:  Below in this document are specific instructions on how to disable SSL 3.0 (which has the POODLE vulnerability), by editing the appropriate 'server.xml' configuration files, but be aware that doing so will affect the imaging component "Preboot Service" (pbserv), which will no longer able to communicate with the "ZEN Server" service (zenserver), thus breaking the ability to perform imaging operations.  In order to overcome this side effect you would need to apply the patch provided below (according to the ZCM version you are running) to all primary servers and satellites that do imaging.

Note regarding ZCM 11.3.2: The "Preboot Service" (pbserv) patch is already included in ZCM 11.3.2, as well as the "ZEN Server" service (zenserver) configuration fix.  But the configuration file for "CasaAuthTokenSvc" service (server.xml) must still be fixed manually (if not done previously) as described below in this TID.  In other words, if you have already applied this TID in the past, and later updated to ZCM 11.3.2, then everything is covered.  If you have not applied this TID, and updated to ZCM 11.3.2, then you still have to edit/fix the configuration file for the CasaAuthTokenSvc accordingly.  In the future, any ZCM update AFTER 11.3.2 will have this POODLE fix built in, and no action will be required, regardless of what was done in the past. 

ZEN 11.2.4 & ZEN 11.2.4 MU1:

https://download.novell.com/Download?buildid=Povsml5Ljxg~

ZEN 11.3.0, 11.3.0 Windows 8.1 & ZEN 11.3.0 FRU1:

https://download.novell.com/Download?buildid=zxTIqXxmcxk~

ZEN 11.3.1 & ZEN 11.3.1 FRU1:

https://download.novell.com/Download?buildid=-rPCjAsWa_g~


Again, as mentioned above, after applying this patch you will still need to follow the instructions below to disable SSL 3.0.  If you have further concerns about this please contact Novell Support.

ZENworks 11.3, 11.3.X

  1. ZCM Primary server installed on windows platform:

Steps to disable sslv3 support:

  1. Stop “Novell ZENworks server” and "CasaAuthTokenSvc" services under services manager.

  2. Take a backup and edit the following configuration files: "%ZENWORKS_HOME%\share\tomcat\conf\server.xml" and "%ZENWORKS_HOME%\share\ats\catalinabase\conf\server.xml"

  3. Modify the below mentioned line in both server.xml files, save the changes and then start both services stopped in step 1.

<Connector SSLEnabled="true" acceptCount="100" ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" keystoreFile="C:/Program Files (x86)/Novell/ZENworks/conf/security/server.keystore" keystorePass="f32da5b9fe197fae08d5a5cb37c8062c" maxHttpHeaderSize="8192" maxPostSize="0" maxSpareThreads="75" maxThreads="200" minSpareThreads="25" port="443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

To

<Connector SSLEnabled="true" acceptCount="100" ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" keystoreFile="C:/Program Files (x86)/Novell/ZENworks/conf/security/server.keystore" keystorePass="f32da5b9fe197fae08d5a5cb37c8062c"maxHttpHeaderSize="8192" maxPostSize="0" maxSpareThreads="75" maxThreads="200" minSpareThreads="25" port="443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"/>

            (Add elements marked in red color).

4. Run the command 'novell-zenworks-configure –c Start' and restart services.

  1. ZCM Primary server installed on Linux platform:

Steps to disable sslv3 support:

  1. Take a backup of the following configuration files:  "/opt/novell/zenworks/share/tomcat/conf/server.xml" and "/srv/www/casaats/conf/server.xml".

  2. Edit both server.xml files to remove sslv3 support.

  3. Modify the below mentioned line in both server.xml files and save the changes

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="200"
minSpareThreads="25" maxSpareThreads="75" protocol="HTTP/1.1"
SSLEnabled="true" enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS"
keystoreFile="/etc/opt/novell/zenworks/security/server.keystore"
keystorePass="264535baeb156cbbd8c52dc277513873" keyAlias="tomcat"
maxPostSize="0"
ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_
RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE
_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_
128_SHA" />

TO

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="200"
minSpareThreads="25" maxSpareThreads="75" protocol="HTTP/1.1"
SSLEnabled="true" enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" clientAuth="false" 
sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
keystoreFile="/etc/opt/novell/zenworks/security/server.keystore"
keystorePass="264535baeb156cbbd8c52dc277513873" keyAlias="tomcat"
maxPostSize="0"
ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_
RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE
_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_
128_SHA" />

(Add elements marked in red color).


      4. Run the command 'novell-zenworks-configure –c Start' and restart services.


ZENworks 11.2, 11.2.X

  1. ZCM Primary server installed on windows platform:

Steps to disable sslv3 support:

  1. Stop “Novell ZENworks server” and "CasaAuthTokenSvc" services under services manager.

  2. Take a backup and edit the following configuration files: "%ZENWORKS_HOME%\share\tomcat\conf\server.xml" and "%ZENWORKS_HOME%\share\ats\catalinabase\conf\server.xml"

  3. Modify the below mentioned line in both server.xml files, save the changes and then start both services stopped in step 1.

<Connector SSLEnabled="true" acceptCount="100" ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" keystoreFile="C:/Program Files (x86)/Novell/ZENworks/conf/security/server.keystore" keystorePass="f32da5b9fe197fae08d5a5cb37c8062c" maxHttpHeaderSize="8192" maxPostSize="0" maxSpareThreads="75" maxThreads="200" minSpareThreads="25" port="443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

To

<Connector SSLEnabled="true" acceptCount="100" ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" keystoreFile="C:/Program Files (x86)/Novell/ZENworks/conf/security/server.keystore" keystorePass="f32da5b9fe197fae08d5a5cb37c8062c" maxHttpHeaderSize="8192" maxPostSize="0" maxSpareThreads="75" maxThreads="200" minSpareThreads="25" port="443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" sslProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"/>

            (Add elements marked in red color).

4. Run the command 'novell-zenworks-configure –c Start' and restart services.


  1. ZCM Primary server installed on Linux platform:

Steps to disable sslv3 support:

  1. Take a backup of the following configuration files:  "/opt/novell/zenworks/share/tomcat/conf/server.xml" and "/srv/www/casaats/conf/server.xml".

  2. Edit both server.xml files to remove sslv3 support.

  3. Modify the below mentioned line in both server.xml files and save the changes

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="200"
minSpareThreads="25" maxSpareThreads="75" protocol="HTTP/1.1"
SSLEnabled="true" enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS"
keystoreFile="/etc/opt/novell/zenworks/security/server.keystore"
keystorePass="264535baeb156cbbd8c52dc277513873" keyAlias="tomcat"
maxPostSize="0"
ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_
RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE
_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_
128_SHA" />

TO

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="200"
minSpareThreads="25" maxSpareThreads="75" protocol="HTTP/1.1"
SSLEnabled="true" enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS" sslProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
keystoreFile="/etc/opt/novell/zenworks/security/server.keystore"
keystorePass="264535baeb156cbbd8c52dc277513873" keyAlias="tomcat"
maxPostSize="0"
ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_
RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE
_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_
128_SHA" />

(Add elements marked in red color).


      4. Run the command 'novell-zenworks-configure –c Start' and restart services.