Share This:

The SSL protocol 3.0 uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. More information: CVE-2014-3566

 

BMC Control-M/Enterprise Manager

 

BMC Control-M/Enterprise Manager client to server SSL communication and browser to Control-M/Enterprise Manager HTTPS communication may be vulnerable to the POODLE security vulnerability in versions 6.4.x ,7.0.x, 8.0.x.

 

The solution is available for Control-M/Enterprise Manager 7.0.00.200 (Fix Pack 2) and above. Follow the steps below to implement the solution.

 

Control-M/Enterprise Manager Client and Servers communication (CORBA):

 

Customers wishing to block SSLv3 in the Control-M/Enterprise Manager Clients and Servers should change the configuration at the EM Servers only. There is no need to change this on the clients side nor does the configuration the jacorb.properties for Java Clients need to be changed (EM API, BPI, Self Service and Workload Change Manager web applications).

 

In configuration file  <EM Installation>/etc/domains/config.xml , edit the file and at the scope of “default”:

  <scope name="default">

 

Change:

   <variable name="-SSLVersionList" value="SSLv2,SSLv3,TLSv1" />

To:

   <variable name="-SSLVersionList" value="TLSv1" />


If the -SSLVersionList parameter appears multiple times, modify each entry.


If the -SSLVersionList parameter is not present in your config.xml file, you should add it by inserting the To: line in the "default scope (between the  <scope name="default">  and  </scope> lines).

 

Restart the Control-M/EM server components and Naming Service afterwards for this change to take effect.

 

NOTE:

The Control-M Naming Service component cannot be configured to refuse SSLv3 connections.  This does not pose a security threat as the only information the Control-M Naming Service keeps is an internal directory of Host and Ports of Control-M Enterprise Manager server components. There is no business or user/password information stored in the Naming service.

 

HTTPS of Control-M/Enterprise Manager Web Server:

 

In the configuration file <EM Installation>/etc/emweb/tomcat/conf/server.xml replace the existing sslProtocol="TLS" with sslProtocols="TLSv1, TLSv1.1, TLSv1.2" when enabling HTTPS:

 

<!-- HTTPS Configuration -->

  maxThreads="150" scheme="https" secure="true"

  clientAuth="false" sslProtocols="TLSv1, TLSv1.1, TLSv1.2"

  keystoreFile="conf/tomcat.keystore"

  keystorePass="emdemo" />

 

 

 

BMC Control-M/Server, Control-M/Agent and Control-M for Advanced File Transfer

 

BMC Control-M/Server, Control-M/Agent and Control-M for Advanced File Transfer use an SSL implementation that does not implement protocol fallback and are therefore not vulnerable to this attack.