Is BMC Performance Manager Portal affected by the DROWN vulnerability (CVE-2016-0800) ?

Version 1
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Performance Manager Portal


    COMPONENT:

    BMC PM Portal


    APPLIES TO:

    Portal 2.9 ~ 2.11



    PROBLEM:

    Is there any additional information regarding this vulnerability https://communities.bmc.com/blogs/application-security-news/2016/03/09/openssl-drown-vulnerability-cve-2016-0800-cve-2016-0703 ?

    On March 1, 2016, the OpenSSL Software Foundation released a security advisory detailing seven vulnerabilities and a new attack, referred to as the Decrypting RSA with Obsolete and Weakened encryption (DROWN) attack. Of the seven vulnerabilities posted, three are related to the DROWN attack. DROWN exploits weaknesses in SSL version 2 (SSLv2) to enable an attacker to collect and decrypt TLS sessions. A successful attack requires the ability to collect traffic for a server that supports both TLS and SSLv2.

    Environments that have been configured to disable SSLv2 as well as export grade ciphers are not vulnerable to DROWN. Therefore if you have performed steps to mitigate both the TLS Logjam and POODLE attacks - you are not vulnerable

    DROWN (CVE-2016-0800)
    https://openssl.org/news/secadv/20160301.txt


     


    CAUSE:

    DROWN Attack (CVE-2016-0800)


    SOLUTION:

    According to R&D,

    Fortunately Portal 2.11 is not affected by this vulnerability. The Vulnerability is applicable for SSLV2 only and in Portal 2.11 comes with SSLv2 disabled.

    However the Portal 2.9 seems to be SSLv2 enabled. You can run the below command in the %BMC_PORTAL_KIT_HOME%/\webserver\tools\apache-openssl\bin folder command prompt on both portals to verify openssl s_client -connect <HOSTNAME>:443 -ssl2

    Whenever the command gives an error like 10148:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:.\ssl\s2_pkt.c:427:

    that mean the SSLv2 is not enabled.
     
    If you check the URL https://communities.bmc.com/blogs/application-security-news/2016/03/09/openssl-drown-vulnerability-cve-2016-0800-cve-2016-0703 it is mentioned that if you have done POODLE vulnerability steps for Portal SSLv2 is not applicable for your Portal.

    POODLE vulnerability steps are at
    https://kb.bmc.com/infocenter/index?page=content&id=KA372758

    So would advise to perform these steps for Portal to be sure in case SSLv2 is enabled.

     


    Article Number:

    000111725


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles