Search Result - HP Software Support

1 de 5

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fac...

Service Manager and the POODLE Vulnerability (CVE-2014-3566)

Feedback
Title :
Service Manager and the POODLE Vulnerability (CVE-2014-3566)
Document ID :
KM01235509
Product - Version:
service manager ;
OS :
Updated :
2014-Nov-11
Summary :
All versions of the HP Service Manager product were found to be vulnerable to the POODLE
(Padding Oracle On Downgraded Legacy Encryption) attack discovered in a wide variety of
applications that use the SSL 3.0 protocol to secure communications between servers and clients.
The vulnerability takes advantage of a security weakness in the SSL protocol and a clients ability
to perform a TLS/SSL Downgrade Dance (an ability to negotiate a fall back encryption
protocol). These two aspects of the vulnerability may leave the HP Service Manager products
exposed to man-in-the-middle and eavesdropping attacks.
Revision 1.0
As of: October 17, 2014

Service Manager and the POODLE Vulnerability (CVE-2014-3566)

Situation Overview
All versions of the HP Service Manager product were found to be vulnerable to the POODLE (Padding Oracle On
Downgraded Legacy Encryption) attack discovered in a wide variety of applications that use the SSL 3.0 protocol to
secure communications between servers and clients. The vulnerability takes advantage of a security weakness in the
SSL protocol and a clients ability to perform a TLS/SSL Downgrade Dance (an ability to negotiate a fall back
encryption protocol). These two aspects of the vulnerability may leave the HP Service Manager products exposed to
man-in-the-middle and eavesdropping attacks.
Since the vulnerability is specific to the SSL 3.0 protocol, the solution is to stop your clients or server applications from
using the SSL 3.0 protocol and replace it with the newer standard defined in the TLS protocol (TLS 1.0, TLS 1.1, and TLS
1.2). For more technical details on the vulnerability please reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
https://www.openssl.org/~bodo/ssl-poodle.pdf
The following versions of Service Manager were found vulnerable. The product versions are:

Service Manager (all versions)

ServiceCenter (all versions)

Note: You may also be vulnerable depending on the 3rd party products that are used in support for the deployment of
Service Manager / ServiceCenter. Please see Appendix A and Appendix B for further details.

28/04/2015 12:23 p. m.

Search Result - HP Software Support

2 de 5

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fac...

HP is not responsible for supporting the 3rd party components used to deploy its products and you should treat the
guidelines available in Appendix A and Appendix B as recommendations only for further instructions it is recommended
to consult with the 3rd party component vendor.

Solution

Immediate mitigation plan

In order to resolve the vulnerability, the official recommendation from numerous trusted security researchers is to
completely disable the SSL 3.0 protocol from either the client or server-side. You may take the following action until HP
releases a fix to the vulnerability:

In scenarios where SM acts as a TLS/SSL client, please reference Appendix A for recommendations.
In scenarios where SM acts as a TLS/SSL server, please reference Appendix B for recommendations.

Appendix A SM products acting as TLS/SSL clients

HP Service Manager Windows (Eclipse) client
The SM Windows (Eclipse) client may act as a TLS/SSL client when configured to do so in order to secure
communications between the SM Server and itself. Oracle has provided a resolution to the issue by means of a
configuration change to the JVM parameters used to start Java client applications; reference the below link as a primer to
better understand the instructions that follow:
http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
In this case, you may resolve the issue by altering the configuration of the SM Windows (Eclipse) client as follows:
1.
2.
3.
4.

Locate the Windows shortcut used to launch the SM Windows (Eclipse) client.
Right-click on the shortcut and select Properties
Select the Shortcut tab and then click the Open File Location button. This will take you to the SM Windows
client installation folder.
Open the ServiceManager.ini file in a text editor and append the following parameters to the bottom of the file:
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
e.g.
-Dosgi.locking=java.io
-vmargs
-Xmx256M
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

5.

Save the changes to the .ini file.

You have now completed the steps needed to resolve the issue. Proceed to start the client as you normally
would. Repeat steps 1 through 5 for all SM Windows Clients.

28/04/2015 12:23 p. m.

Search Result - HP Software Support

3 de 5

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fac...

HP Service Manager Web Tier and Service Manager Mobility

The SM Web Tier client and SM Mobility may act as a TLS/SSL client when configured to do so in order to secure
communications between the SM Server and itself. Oracle has provided a resolution to the issue by means of a
configuration change to the JVM parameters used to start Java client applications; reference the below link as a primer to
better understand the instructions that follow:
http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
In this case, you may resolve the issue by altering the configuration of the SM Web Tier and Mobility as follows:
1.

2.
3.

Consult with your third-party web application server vendor (e.g. Apache Tomcat, IBM Websphere, Oracle
WebLogic, etc.) to obtain information on how to pass in additional startup parameters to the JVM running your
web application server.
Add the following to the JVM parameters used to start the JVM of your web application server:
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
For example, if using Tomcat on a Windows-based OS that is started using a Windows Service, the parameters
would be added using the Tomcat monitor application (Tomcat7w.exe):

For other web application servers please consult with your third-party vendor for details on how to pass in
additional JVM startup parameters.

HP Service Request Catalog

The SRC server may also act as a TLS/SSL client when configured to do so in order to secure communications between the SM
Server and itself. In this scenario, there is no immediate workaround available via configuration changes. HP Software R&D team is
working on a patch, and we will release an advisory once available.

HP Service Manager consuming third-party external Web Services

SM Server may act as a TLS/SSL client when consuming third-party external Web Services that require HTTPS for
access. In this case, you may resolve the issue by contacting the third-party external Web Services vendor and inquiring
if they have disabled the SSL 3.0 protocol from their servers as recommended by numerous security researchers. When
contacting them, you may reference the official CVE id: CVE-2014-3566.

28/04/2015 12:23 p. m.

Search Result - HP Software Support

4 de 5

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fac...

HP Service Manager as a SMTP server client

SM Server may acts as a TLS/SSL client when using HTML Email features (JavaMail) which allow SM Server to securely
connect to SMTP servers. In this case, you may resolve the issue by contacting the vendor of your SMTP server and
inquiring if they have disabled the SSL 3.0 protocol from their servers as recommended by numerous security
researchers. When contacting them, you may reference the official CVE id: CVE-2014-3566.

HP Service Manager as a LDAP/Directory Services client

SM Server may acts as a TLS/SSL client when connecting to a Directory Services Server via the secure LDAP
protocol. Secure LDAP is also known as LDAP over SSL (LDAPS). In this case, you may resolve the issue by contacting
the vendor of your LDAP/Directory Services server and inquiring if they have disabled the SSL 3.0 protocol from their
servers as recommended by numerous security researchers. When contacting them, you may reference the official CVE
id: CVE-2014-3566.

Appendix B SM products acting as TLS/SSL servers

HP Service Manager and Hardware Load Balancers
In some organizations, a hardware load balancer device may be deployed in conjunction with multiple SM application
servers and web application servers that may leverage TLS/SSL to provide HTTPS traffic encryption and load balancing.
This is an optional, advanced deployment configuration.
Your hardware load balancer may be impacted if an attacker can gain man-in-the-middle positioning to trigger a
downgrade dance which may be used to perform a successful POODLE attack. Please see the official vulnerability
details for your device and consult the manufacturer of your device to determine whether you are impacted and what
additional steps you must take to resolve the issue. If you are using a vulnerable version, you should follow the
recommended steps provided by your device manufacturer. Typically this will involve configuring your device to
completely disable the SSL 3.0 protocol.
If the hardware load balancer that provides HTTPS for HP SM products is impacted, an attacker could have retrieved HP
SM business data that transits through the hardware load balancer. Please note this is the case for any application whose
traffic transits through vulnerable servers, and are not specific to HP SM products. It is up to your administrators to take
follow-up actions if deemed necessary after patching the issue on your hardware load balancer device(s). Such follow-up
actions may include the re-issuance of passwords for all HP SM Server users, etc.

HP Service Manager Web Tier, Service Request Catalog, and Mobility

SM Web Tier, Mobility, and SRC acting as a TLS/SSL server may use either the Oracle or IBM Java Runtime
Environment (JRE) required by your third-party web application server or it may rely on a third-party TLS/SSL library like
OpenSSL to securely manage and connect incoming client browser requests using TLS/SSL protocols.
HP does not ship or provide the software that hosts the SM Web Tier, Mobility and SRC products which controls the
specific TLS/SSL protocols that are used. As such, customers are responsible for any additional configuration or
application of patches needed to resolve this issue. HP recommends that you consult with your third-party web
application server vendor (IBM Websphere, Oracle WebLogic, Apache Tomcat, etc.) for critical information on resolving
this issue. When contacting them, you may reference the official CVE id: CVE-2014-3566. Typically, any resolutions
provided by the vendor may involve the disabling of the SSL 3.0 protocol from the third-party server. Below is a list of
references that may be used as a starting point to research this solution:
IBM Websphere: http://www-01.ibm.com/support/docview.wss?uid=swg21687173
IBM HTTP Server: http://www-01.ibm.com/support/docview.wss?uid=swg21687172
Oracle WebLogic: https://community.oracle.com/thread/3620152
Oracle HTTP Server: http://docs.oracle.com/cd/B14099_19/web.1012/b14007/ssl.htm#CHDFAGJE
Apache HTTP Server: https://access.redhat.com/solutions/1232413
Apache Tomcat: https://access.redhat.com/solutions/1232233

28/04/2015 12:23 p. m.

Search Result - HP Software Support

5 de 5

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fac...

In addition, based on the latest information from security researchers, successfully disabling the SSL 3.0 protocol from
either the server or client-side will resolve the POODLE vulnerability. This means that you have the option, in this
scenario, to resolve the issue by modifying the configuration of your web browsers such that SSL 3.0 is disabled.
Information on how to disable SSL 3.0 in your web browser varies depending on the browser used. Below is a list of
references that may be used as a starting point to research this alternate solution:
Firefox: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Internet Explorer: https://technet.microsoft.com/en-us/library/security/3009008.aspx
Chrome: https://productforums.google.com/forum/#!topic/chrome/dpiPu9B1cBI
Safari: https://support.apple.com/kb/HT6535
If the web application server that provides HTTPS for the HP SM products is impacted, an attacker could have retrieved
HP SM business data that transits through the web application server. Please note this is the case for any application
whose traffic transits through vulnerable servers, and is not specific to HP SM products. Your administrators should take
follow-up actions if deemed necessary after the issue is patched on your web server. Such follow-up actions may include
the re-issuance of passwords for all HP SM Server users, etc.

28/04/2015 12:23 p. m.