Solutions

SSL 3.0 Vulnerability - Poodle - SBM



ID:    S140810
Published:    17 October 2014
Updated:    12 October 2015

Operating System(s)

  • Windows 2003
  • Windows 2003 R2
  • Windows 2008 R2
  • Windows 2012
 

Description

A new security vulnerability called POODLE (Padding Oracle On Downgraded Legacy Encryption) is currently in the news. This is the result of a flaw in the SSL 3.0 protocol and the specific attack affects web communications. This has the potential to affect any web server that requests to communicate with SBM. For customers to make sure their installations are secure there are mitigation steps they can take to secure the web servers involved.
 
Note that SBM requires that Protocols include TLSv1 in list. 
 
Potential Side Effects

While the risk of breakage is quite small, customers still need to be aware of the potential for problems to arise. Specifically when very old web browser clients are used that don’t support TLS these clients will no longer be able to connect to the Serena SBM Server.
 
For versions of SBM 10.1.2 and earlier, these versions are using the JDK 1.6. This version of the JDK uses the pseudo protocol "SSLv2 Hello".  In this case, you will need to add the protocol combination "TLSv1,SSLv2Hello".  If it is removed from the Tomcat HTTPS connector, the browser will no longer be able to connect to the server, displaying an error similar to:
 
"slv3 alert handshake failure".
 
 

Resolution

Review the attached document for details on how to mitigate the risks.

Applies To

SBM

Attachment

File NameFile SizeDownLoad
Mitigating POODLE in SBM.doc 36K HTTP

Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs