Environment
NetIQ eDirectory 8.8 SP8
Novell eDirectory 8.8 SP7
Novell eDirectory 8.8 SP7
iMonitor
NLDAP.
NetIQ iManager 2.7 SP7
Situation
SSLv3 Downgrade Attack - CVE-2014-3566
Unlike many other vulnerabilities this security issue is not within code but within a protocol. Therefore, it is not about a particular OS that needs to be patched. Resolving this vulnerability requires a review of an environment's ability to remove SSLv3 services and use TLS instead. Both clients and servers need to be reviewed as to whether their applications and services still require SSLv3.
A good writeup on the subject can be found here: https://www.suse.com/support/kb/doc.php?id=7015773
Resolution
eDirectory services are affected by this vulnerability. This has been resolved by removing SSLv3 as an option for eDirectory's HTTPS, LDAPS interfaces and the Tomcat secure port contained in iManager. This requires the following patches:
- eDirectory to 8.8 SP8 Patch 4 (or later)
- iManager to 2.7 SP7 Patch 3 (or later)
- eDirectory 8.8 SP8 Patch 4 Plug-in for iManager 2.7 SP7 Patch 3
After patching the above patches SSLv3 is no longer listening on the HTTPS port. This was made the default setting since most modern browsers support TLS.
Run the command "openssl s_client -connect 192.168.211.61:8030 -ssl3 | grep failure", make sure you get the following output.
socket: Connection refused
connect:errno=111
However, LDAPS was left to remain listening to SSLv3 requests as there are not as many LDAP clients that support TLS.
openssl s_client -connect 192.168.211.61:636 -ssl3 | grep failure
depth=1 OU = Organizational CA, O = HVSLES12_TREE1A
verify error:num=19:self signed certificate in certificate chain
verify return:0
Once it has been determined that there are no LDAP clients utilizing SSLv3 this can be disabled on LDAPS as well.
Steps:
The following patches can be found via NetIQ Patchfinder: https://dl.netiq.com/patch/finder/. \
(OES customers must use the channel to upgrade and install patches.)
1. Upgrade eDirectory to 8.8 SP8 Patch 4 (or later)
2. Upgrade iManager to 2.7 SP7 Patch 3 (or later)
3. Install the eDirectory 8.8 SP8 Patch 4 Plug-in for iManager 2.7 SP7 Patch 3
4. Use the new LDAP plugin and LDAP role to disable SSLv3 on the LDAP server object via the connections tab.
- eDirectory to 8.8 SP8 Patch 4 (or later)
- iManager to 2.7 SP7 Patch 3 (or later)
- eDirectory 8.8 SP8 Patch 4 Plug-in for iManager 2.7 SP7 Patch 3
After patching the above patches SSLv3 is no longer listening on the HTTPS port. This was made the default setting since most modern browsers support TLS.
Run the command "openssl s_client -connect 192.168.211.61:8030 -ssl3 | grep failure", make sure you get the following output.
socket: Connection refused
connect:errno=111
However, LDAPS was left to remain listening to SSLv3 requests as there are not as many LDAP clients that support TLS.
openssl s_client -connect 192.168.211.61:636 -ssl3 | grep failure
depth=1 OU = Organizational CA, O = HVSLES12_TREE1A
verify error:num=19:self signed certificate in certificate chain
verify return:0
Once it has been determined that there are no LDAP clients utilizing SSLv3 this can be disabled on LDAPS as well.
Steps:
The following patches can be found via NetIQ Patchfinder: https://dl.netiq.com/patch/finder/. \
(OES customers must use the channel to upgrade and install patches.)
1. Upgrade eDirectory to 8.8 SP8 Patch 4 (or later)
2. Upgrade iManager to 2.7 SP7 Patch 3 (or later)
3. Install the eDirectory 8.8 SP8 Patch 4 Plug-in for iManager 2.7 SP7 Patch 3
4. Use the new LDAP plugin and LDAP role to disable SSLv3 on the LDAP server object via the connections tab.
More information:
- For information on the TLS variant of this vulnerability and its impact on iManager and eDirectory please see KB 7015987.
- To view information related to the impact on Identity Manager please refer to KB 7015788.
iManager services are affected by this vulnerability. The fix is available with iManager 2.7 Support Pack 7 patch 3.
To disable SSLv3 protocol manually in iManager 2.7 Support Pack 7 Patch 2 and earlier versions use the following steps:
-Edit server.xml of tomcat:
For Example:
Linux:/var/opt/novell/tomcat7/conf/server.xml
Windows: <USER_INSTALL_DIR>\Tomcat\conf\server.xml
-Go to section <!-- Define a SSL HTTP/1.1 Connector on port -->
-Replace the parameter sslProtocol="TLS" with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
-Save the file.
-Restart Tomcat
For Example:
Linux: rcnovell-tomcat7 restart
iManager services are affected by this vulnerability. The fix is available with iManager 2.7 Support Pack 7 patch 3.
To disable SSLv3 protocol manually in iManager 2.7 Support Pack 7 Patch 2 and earlier versions use the following steps:
-Edit server.xml of tomcat:
For Example:
Linux:/var/opt/novell/tomcat7/conf/server.xml
Windows: <USER_INSTALL_DIR>\Tomcat\conf\server.xml
-Go to section <!-- Define a SSL HTTP/1.1 Connector on port -->
-Replace the parameter sslProtocol="TLS" with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
-Save the file.
-Restart Tomcat
For Example:
Linux: rcnovell-tomcat7 restart