On October 14, 2014, a security vulnerability affecting Secure Socket Layer version 3 (SSL v3.0) was publicly disclosed (Padding Oracle On Downgraded Legacy Encryption, or “Poodle”). This security vulnerability is the result of a design flaw in SSL v3.0. Note that this vulnerability does not affect TLS and is limited to SSL 3.0, which is widely considered as an obsolete protocol. This vulnerability has received the identifier CVE-2014-3566.
This vulnerability involves man-in-the-middle (MITM) network access in conjunction with a certain amount of control over the user's browser to have it make repeated requests with content under the attacker's control and also heavy real-time computing power.
To resolve this issue, the SSL 3.0 protocol is disabled in all the HTTPS connections within BMC Network Automation (BNA). BNA allows HTTPS connection for the following -
1. BNA server communication
BMC Network Automationuses the Apache Tomcat web server. Therefore, the server.xml file was modified to use a new attribute, sslEnabledProtocols.By default, this attribute is set to TLSv1, TLSv1.1, TLSv1.2
2. Communication between BNA agent and network device
BMC Network Automation allows HTTPS communication with some devices. A new property, httpsEncryptionProtocols that contains “TLSv1,TLSv1.1,TLSv1.2” as the default value has been added to the global.properties.imported file.
3. Communication between BNA Server and BNA Agent
The BMC Network Automation server communicates with BMC Network Automation agent over HTTPS protocol. This communication uses the TLSv1.2 as the default SSL protocol for communication. This protocol is configurable via agentSSLProtocol property in the global.properties.installed file.
Following versions of BMC Network Automation are POODLE safe