The POODLE vulnerability has been gaining attention throughout our field. The SSL 3.0 “POODLE” Security Vulnerability -- CVE-2014-3566 has affected several BMC products and does impact BPPM.
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. More details are available in the upstream OpenSSL advisory.
POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Impacted BPPM versions:
BMC ProactiveNet Performance Management Suite 9.6
BMC ProactiveNet Performance Management Suite Server 9.5
BMC ProactiveNet Performance Management Suite Server 9.0
BMC ProactiveNet Performance Management Suite Server 8.6
For additional products affected, please visit BMC Product Information on POODLE vulnerability
BMC is providing a workaround for the security vulnerability of POODLE on BPPM Server systems. BPPM does not utilize the feature that is vulnerable but Apache is installed as part of the installation.
It should be noted that if you upgrade your release version you will need to reapply this workaround as the same Apache .conf file will be overwritten.
1. Stop BPPM Server with "pw system stop"
2. Please backup the following files
For BPPM 9.5 and 9.6 versions --> <BPPM HOME>\pw\apache\conf\extra\httpd-ssl.conf (Windows)
<BPPM HOME>/pw/apache/conf/extra/httpd-ssl.conf (Linux/Solaris)
For BPPM 9.0 and 8.6 versions --> <BPPM HOME>\pw\ApacheGroup\Apache\conf\httpd-ssl.conf (Windows)
<BPPM HOME>/pw/Apache/conf/httpd-ssl.conf (Linux/Solaris)
|<BPPM HOME>/pw/Apache/conf/httpd-ssl.conf (Linux/Solaris)|
3. Make the following change in the platform specific file and save the file
Add the following line in the httpd-ssl.conf file in the "SSL Cipher Suite" section:
SSLProtocol all -SSLv2 -SSLv3
4. Restart the ProactiveNet Server with "pw system start"
That's it, once the change is made and saved, there should no longer be an issue with the Poodle vulnerability. If you have any questions or need additional information, please contact Support. This information is also referenced in our Knowledge Base under How to disable Apache SSL V3.0 in BPPM for POODLE vulnerability
Newly Published Knowledge Articles - New Content has been added over the last month!
KA418064 - What is the effect of applying multiple policies to the same PATROL agent in CMA?
KA418086 - What is the best practice to send events from the PATROL Agent to the BPPM server version 9.5?
KA418281 - When a CI is published how is the ComponentAliases slot value constructed?
KA418365 - If an Integration Service is stopped, I do not see a self-monitoring event (class PPM_SM_EV) to indicate it has been disconnected.
KA418886 - BPPM 9.5 - Events are shown with incorrect time since the Daylight Savings Time (DST) change.
KA419068 - After upgrading to BPPM 9.5 SP1, all event operations (Take Ownership, Assign To, Acknowledge Event, Close Event etc.) are greyed out.
KA419189 - Is it possible to change the value of mc_parameter_value slot for PATROL events to not contain so many decimal places?
Popular Knowledge Articles
KA382011 - I am unable to send events directly from Patrol Agent v9 to cell
KA352299 - BPPM database tables & view and Schema information for integration with BSM Dashboards.
KA324702 - How to Setup External Authentication in BMC ProactiveNet Performance Management (BPPM) 8.0.00 and above?
KA309641 - ProactiveNet jserver and rate processes are not starting.
KA351085 -Connectivity issue between Patrol Agents and Integration Service
Are these blogs helpful to you? We want to hear from you. Let us know what you think or what topics you would like presented in our blog.