Logjam: How Diffie-Hellman Fails in Practice describes the vulnerability in the Transport Layer Security (TLS) protocol. This blog provides guidelines to mitigate the risk of this vulnerability in the BMC Cloud Lifecycle Management (CLM) solution.
Who is impacted by this issue?
- BMC Cloud Lifecycle Management version 4.5 deployments
- Running the web-based GUI over Tomcat or Jetty web server and using HTTPS-based access
- Using Tomcat or Jetty, which entertains TLS DHE_EXPORT ciphers
- Using 1024 bit Diffie-Hellman groups
- BMC Cloud Lifecycle Management version 4.1 or earlier deployments
- Running mid-tier using HTTPS.
- Refer to Instructions specified in the knowledge article for BMC Remedy AR system and ITSM at https://kb.bmc.com/infocenter/index?page=content&id=KA426780.
What are the steps required to fix this vulnerability in CLM v4.5?
Step 1. Applicable if the new End User Portal is deployed on Apache Tomcat,
If the customer is using CLM 4.5 and new end user portal is deployed on Tomcat, change the server.xml file to include the ciphers specified in the following code block.Ensure that you specify the allowed ciphers explicitly as shown in the following code snippet and arrange it in a single line:
<Connector ...ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA" />
Step 2. Applicable if the new End User Portal is accessible from a Jetty web-based server embedded in the CLM Platform Manager,
If the customer is using CLM 4.5 and new end user portal is deployed on Jetty, change secure_jetty.xml in cloudjetty-*.jar file by performing the following steps:
- Logon to the VM / server where the CLM Platform Manager is installed. Navigate to 'Platform_Manager/lib' folder.
- Retain a copy of cloudjetty-*.jar in a different folder for backup.
- Extract cloudjetty-*.jar at a temporary location preferably by using the 'jar' tool.
- Open the 'etc/secured_jetty.xml' file and locate the 'addConnector' entry with the 'org.eclipse.jetty.server.ssl.SslSelectChannelConnector' class.
- Modify the entry to include ciphers mentioned in step 1. Refer to the detailed steps at Jetty/Howto/CipherSuites - Eclipsepedia for information on how to include specific ciphers.
- Repackage cloudjetty-*.jar with the latest contents, preferably using 'jar' tool.
- Overwrite cloudjetty-*.jar in the 'lib' folder.
Step 3. Generate and configure a 2048-bit server certificate
If the customer has CLM 4.5 and HTTPS is configured for Tomcat or Jetty with a certificate key size less than 2048 bits.
- Locate the existing certificate file in Tomcat or Jetty depending on what is configured.
- Backup the existing certificate file.
- Use the following command to generate a new certificate key,
keytool -importkeystore -srckeystore jetty.pkcs12 \ -srcstoretype PKCS12 -destkeystore keystore -keysize 2048
- Replace the existing certificate with the newly generated certificate keeping the file name exactly the same.
Refer to keytool-Key and Certificate Management Tool for more details.
Step 4. Restart the CLM Platform Manager
Ensure that all provisioning or day 2 operations to extend the service are complete before performing following steps:
- Stop CLM Platform Manager service.
- Delete the 'configuration/org.*' folders in the 'Platform_Manager' folder.
- Restart the CLM Platform Manager service.
Step 5. Verify that the vulnerability is fixed
Open command prompt on a server where openssl 1.0.2 or above is installed and issue following commands to ensure vulnerability is fixed.
> openssl s_client -connect host:port -cipher "EDH" ... Server public key is 2048 bit ... > openssl s_client -connect host:port -cipher "ECDHE" -- connection should be successful -- > openssl s_client -connect host:port -cipher "EXP" -- connection should fail --
Update the configurations in other point products shipped with CLM
In addition to these changes, make changes in other point products that integrate with BMC CLM. Refer to The Logjam Attack -- CVE-2015-4000 - BMC for more details.