VIP Enterprise Gateway | Update for FREAK vulnerability (refer to Common Vulnerabilities and Exposure (CVE) -2015-0204)
Last Updated March 12, 2015
Security researchers have found a vulnerability (nicknamed FREAK) that affects secure web connections using the TLS protocol. This vulnerability affects any SSL/TLS server that accepts ‘export-grade’ encryption in their communication and client/browser using the same encryption that is vulnerable to CVE -2015-0204.
The following VIP Enterprise Gateway components are affected by this vulnerability:
oVIP Enterprise Gateway Console
oVIP Manager IdP
oVIP Self Service Portal IdP – users accessing the portal inside the corporate network.
oVIP Self Service Portal IdP Proxy – users accessing the portal outside the corporate network.
You should follow the instructions provided in this update, if you are running one of the following:
•VIP Enterprise Gateway on Windows and Linux platforms
•VIP Self Service IDP Proxy on Windows and Linux platforms
1.Communications from the Enterprise Gateway to the corporate user store may also be vulnerable if the channel is protected with TLS. However, since clients other than the VIP Enterprise Gateway also access the corporate user store, Symantec recommends that you disable the specific cipher in TLS protocol on the user store. You must follow the solution provided by your LDAP server vendor for the remediation details.
Enterprise Gateway 9.5 and 9.6
Complete the following procedures on the VIP Enterprise Gateway machine hosting the Self Service Portal (SSP) IdP, VIP Manager IdP, and the VIP Enterprise Gateway Console to update these components.
1.Download the weakciphers.properties file provided with these instructions into a temporary location.
2.Stop the following Services, if applicable:
•Self Service Portal IdP
•VIP Manager IdP
•All Validation Services
•Enterprise Gateway Service
3.Backup weakciphers.properties from the <VIPEG_INSTALLATION>/conf/ folder and replace it with the downloaded weakciphers.properties from the temporary location in step 1.
If you are using an older version of Enterprise Gateway, Symantec recommends you to update the VIP Enterprise Gateway to version 9.5 or 9.6 and apply the steps discussed in this article.
However, if you do not plan to upgrade the server, ensure that administrators accessing the administrative functions such as VIP Enterprise Gateway Configuration Console and VIP Manager IdP use a browser that has excluded the vulnerable cipher-suites. The details of remediation can be found from the browser vendors.
If you have end-users accessing VIP Self Service IdP inside your corporate network, ensure all your end-users are using a version of browser that has excluded the vulnerable cipher suite.
Version 9.3 onwards
Complete the following procedures on the machine hosting the VIP Self Service IdP Proxy to update this component.
1.Stop the VIP Self Service IdP Proxy service.
a.On Windows, use the services panel.
b.On Linux, run the jetty stop command ./jetty.sh stop
2.Backup jetty.xml from the <SSP_PROXY_INSTALLATION>/server/etc/ folder.
3.Edit jetty.xml. Search for the following string <Item>TLS_KRB5_WITH_DES_CBC_SHA</Item> and ensure that the following lines appear after it:
Note: The jetty.xml file might have excluded few of the cipher suites depending on the version of the product. You may want to append only the ones missing from the above list.
4.Start the VIP Self Service IdP Proxy service:
a.On Windows, use the service panel.
b.On Linux, run the jetty start command ./jetty.sh start
Earlier Versions (9.0, 9.1, 9.2)
If you have end-users accessing VIP Self Service IdP outside of your corporate network, ensure all your end-users are using a version of browser that has excluded the vulnerable cipher suite. The details of remediation can be found from the browser vendors.