Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1 de 5
https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fac...
Feedback
Title :
Service Manager and the POODLE Vulnerability (CVE-2014-3566)
Document ID :
KM01235509
Product - Version:
service manager ;
OS :
Updated :
2014-Nov-11
Summary :
All versions of the HP Service Manager product were found to be vulnerable to the POODLE
(Padding Oracle On Downgraded Legacy Encryption) attack discovered in a wide variety of
applications that use the SSL 3.0 protocol to secure communications between servers and clients.
The vulnerability takes advantage of a security weakness in the SSL protocol and a clients ability
to perform a TLS/SSL Downgrade Dance (an ability to negotiate a fall back encryption
protocol). These two aspects of the vulnerability may leave the HP Service Manager products
exposed to man-in-the-middle and eavesdropping attacks.
Revision 1.0
As of: October 17, 2014
Note: You may also be vulnerable depending on the 3rd party products that are used in support for the deployment of
Service Manager / ServiceCenter. Please see Appendix A and Appendix B for further details.
28/04/2015 12:23 p. m.
2 de 5
https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fac...
HP is not responsible for supporting the 3rd party components used to deploy its products and you should treat the
guidelines available in Appendix A and Appendix B as recommendations only for further instructions it is recommended
to consult with the 3rd party component vendor.
Solution
In scenarios where SM acts as a TLS/SSL client, please reference Appendix A for recommendations.
In scenarios where SM acts as a TLS/SSL server, please reference Appendix B for recommendations.
Locate the Windows shortcut used to launch the SM Windows (Eclipse) client.
Right-click on the shortcut and select Properties
Select the Shortcut tab and then click the Open File Location button. This will take you to the SM Windows
client installation folder.
Open the ServiceManager.ini file in a text editor and append the following parameters to the bottom of the file:
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
e.g.
-Dosgi.locking=java.io
-vmargs
-Xmx256M
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
5.
28/04/2015 12:23 p. m.
3 de 5
https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fac...
2.
3.
Consult with your third-party web application server vendor (e.g. Apache Tomcat, IBM Websphere, Oracle
WebLogic, etc.) to obtain information on how to pass in additional startup parameters to the JVM running your
web application server.
Add the following to the JVM parameters used to start the JVM of your web application server:
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
For example, if using Tomcat on a Windows-based OS that is started using a Windows Service, the parameters
would be added using the Tomcat monitor application (Tomcat7w.exe):
For other web application servers please consult with your third-party vendor for details on how to pass in
additional JVM startup parameters.
28/04/2015 12:23 p. m.
4 de 5
https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fac...
28/04/2015 12:23 p. m.
5 de 5
https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fac...
In addition, based on the latest information from security researchers, successfully disabling the SSL 3.0 protocol from
either the server or client-side will resolve the POODLE vulnerability. This means that you have the option, in this
scenario, to resolve the issue by modifying the configuration of your web browsers such that SSL 3.0 is disabled.
Information on how to disable SSL 3.0 in your web browser varies depending on the browser used. Below is a list of
references that may be used as a starting point to research this alternate solution:
Firefox: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Internet Explorer: https://technet.microsoft.com/en-us/library/security/3009008.aspx
Chrome: https://productforums.google.com/forum/#!topic/chrome/dpiPu9B1cBI
Safari: https://support.apple.com/kb/HT6535
If the web application server that provides HTTPS for the HP SM products is impacted, an attacker could have retrieved
HP SM business data that transits through the web application server. Please note this is the case for any application
whose traffic transits through vulnerable servers, and is not specific to HP SM products. Your administrators should take
follow-up actions if deemed necessary after the issue is patched on your web server. Such follow-up actions may include
the re-issuance of passwords for all HP SM Server users, etc.
28/04/2015 12:23 p. m.