NOC 5.0 SSL workaround to address concern about POODLE SSLv3 vulnerability

  • 7015790
  • 17-Oct-2014
  • 13-Feb-2015

Environment

NetIQ Operations Center 5.0

Situation

Customers may be concerned that since the NOC JVM implements SSLv3 as one of its' SSL protocols it could become vulnerable to attacks that exploit SSLv3 vulnerabilities, such as POODLE (https://www.openssl.org/~bodo/ssl-poodle.pdf).  NOC Engineering has come up with a workaround which will turn off SSL for NOC and only allow the TLS protocol, which is not vulnerable to POODLE, to be implemented within the NOC JVMs.

Resolution

Concerned customers should follow these steps to turn off SSLv3 within NOC:

  1. Stop the NOC server.
  2. Edit the NOC/config/Formula.custom.properties (or create it if it does not exist on their NOC server yet).
  3. Add the following line to the Formula.custom.properties file: 
    com.mosol.ssl.enabledProtocols=TLSv1
  4. Save the changes.
  5. Restart the NOC server.

If a customer is concerned about the Dashboard JVM being affected they merely need to disable the SSLv3 protocol within the browser of their choice they use to view the Dashboard client.

Cause

Researchers discovered a potential security vulnerability within the SSLv3 protocol which they nicknamed POODLE (more information can be found at https://www.openssl.org/~bodo/ssl-poodle.pdf)
Since NOC allows SSL communication to be implemented customers may be concerned their NOC servers are exposed to this.

Status

Reported to Engineering
Security Alert