ZENworks Logjam Vulnerability

  • 7016807
  • 31-Aug-2015
  • 03-Oct-2016

Environment

Novell ZENworks Configuration Management 11.3

Situation

To fix the logjam vulnerability, platform vendors like Microsoft, Redhat  etc released the security patches. After applying those patches, communication is lost between the primary servers, satellites and managed devices.

During registration attempt (zac reg) the following error can be seen:

RegistrationManager - Network error connecting to server: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel


Resolution

This is fixed in version 11.4 - see KB 7016614 "ZENworks Configuration Management 11 SP4 (11.4.0) - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7016614


Workaround:

Primary servers:

  1. Stop the ZENworks services on the Primary Server:
    novell-zenworks-configure -c Start (select Stop and enter twice)
  2. Make a Backup and edit the configuration files below:
    Windows :
    %ZENWORKS_HOME%\share\tomcat\conf\server.xml
    %ZENWORKS_HOME%\share\ats\catalinabase\conf\server.xml

    Linux:
    /opt/novell/zenworks/share/tomcat/conf/server.xml
    /srv/www/casaats/conf/server-sun.xml
  3. Replace ciphers attribute with the list of ciphers suites below:  SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256
  4. Start the ZENworks services:
    novell-zenworks-configure -c Start (select Start and enter twice)

Authentication Satellite servers:

11.3.1:

If it is not possible to upgrade to ZCM 11.4 at this time, in the interim, Novell has made a Patch available for testing.  It can be obtained at https://download.novell.com/Download?buildid=okaco1PldFk~ as "ZCM 11.3.1 Logjam Vulnerability Fix for Satellite Servers - TID 7016807". This update should only be applied if the symptoms above are being experienced, and are causing problems.

11.3.1 FRU1:

If it is not possible to upgrade to ZCM 11.4 at this time, in the interim, Novell has made a Patch available for testing.  It can be obtained at https://download.novell.com/Download?buildid=pNXvVUtSbag~ as "ZCM 11.3.1 FRU1 Logjam Vulnerability Fix for Satellite Servers - TID 7016807". This update should only be applied if the symptoms above are being experienced, and are causing problems.

11.3.2:

If it is not possible to upgrade to ZCM 11.4 at this time, in the interim, Novell has made a Patch available for testing.  It can be obtained at https://download.novell.com/Download?buildid=GDbiBPeAuw8~ as "ZCM 11.3.2 Logjam Vulnerability Fix for Satellite Servers - TID 7016807". This update should only be applied if the symptoms above are being experienced, and are causing problems.

11.3.2 FRU1:

If it is not possible to upgrade to ZCM 11.4 at this time, in the interim, Novell has made a Patch available for testing.  It can be obtained at https://download.novell.com/Download?buildid=f72lm38lPbY~ as "ZCM 11.3.2 FRU1 Logjam Vulnerability Fix for Satellite Servers - TID 7016807".  This update should only be applied if the symptoms above are being experienced, and are causing problems.



ZENworks Reporting Server (ZRS Jaspersoft):


Make a Backup and edit the configuration files below:

Windows :

C:\Program Files\novell\zenworks-reporting\js\apache-tomcat\conf\server.xml

Linux:

/opt/novell/zenworks-reporting/js/apache-tomcat/conf/server.xml

Under the section <Connector SSLEnabled="true"

add

ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256"




Additional Information

Known Problems and Limitations :

On RHEL Satellites with older openssl versions: 

openssl-1.0.1e-15.el6.x86_64, or lower than openssl-1.0.1e-30.el6_6.11.x86_64 

the FTF may break the agent to satellite communication over SSL.

To fix ,update the openssl package to the latest version on RHEL satellite and then verify the SSL communication. The latest openssl package  openssl-1.0.1e-30.el6_6.11.x86_64 or higher would be available via the Red Hat Network.