All XOS versions ship with an embedded Web server that is potentially vulnerable to the CVE-2014-3566 OpenSSL Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. CVE-2014-3566 exploits weaknesses in the SSLv3 protocol to enable man-in-the-middle attacks allowing access to clear text data within HTTPS sessions. Symantec recommends that you make the configuration change described in this article to prevent possible exploitation of this vulnerability.
About the XOS Web Server
The embedded Web server is not enabled by default. It only runs if it has been enabled via the configure web-server CLI command. If enabled, the embedded Web server will communicate via SSLv3 when requested by a client. To determine if the Web server is enabled on your chassis, use the CLI command show web-server.
The embedded Web server is only used to host the Greenlight Element Manager (GEM) health monitoring application. GEM displays primarily read-only health and statistical information for the chassis and provides the ability to retrieve chassis log files. The GEM application does not allow a user to reconfigure the chassis or modify the chassis state.
The embedded Web server can only be accessed via the CPM management ports and can never be accessed via data ports on the NPM modules. In a secure installation, it is expected that the CPM management ports are connected to a trusted management network and do not have direct access to the Internet. Access to the Web server can be further restricted to trusted client devices or subnets by configuring access control lists on the CPM module.
If you do not use GEM, you can disable the Web server by issuing the CLI command configure no web-server. If you do use GEM, you can specifically disable SSLv3 by following the steps in the workaround below.
A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.
This issue affects the version of openssl as shipped with Red Hat Enterprise Linux 5, 6 and 7, Red Hat JBoss Enterprise Application Platform 5 and 6, and Red Hat JBoss Web Server 1 and 2, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/articles/1232123
A fix for this vulnerability will be available in XOS V11.0, and in the XOS V10.0.3, XOS V9.7.6, and XOS V9.6.10 maintenance releases.
To mitigate this vulnerability, you can explicitly disable SSLv3 in affected packages. This workaround applies to XOS V10.0.x, XOS V9.7.x, XOS V9.6.x, and XOS V9.5.x. Customers running earlier releases of XOS are advised to upgrade before applying this workaround.
To disable SSLv3 and force use of TLS by the Tomcat server, do the following:
Log into the primary CPM.
From the XOS CLI, stop the Web server
CBS# configure no web-server
Access the Linux prompt as root user and change to the Tomcat directory.
CBS# un su
[root@xxxx admin]# cd /etc/tomcat5
Open the server.xml file in the tomcat5 directory for editing and locate the HTTP connector definition. XOS V10.0.x and XOS V9.7.x use port 443 for the HTTP Connector. XOS V9.6.x uses port 5443. Depending on the version of XOS installed, the definition will look approximately like this: