ZENworks Reporting 5 Security Announcement: CVE-2015-0204 OpenSSL Vulnerability (aka FREAK)

  • Document ID:7016340
  • Creation Date:23-Mar-2015
  • Modified Date:31-Mar-2015
    • Micro Focus Products:
      ZENworks Configuration Management

Environment

ZENworks Reporting 5

Situation

A bug in the openssl libraries allows a client to accept a weaker export grade RSA key.  This is only applicable in scenarios where the server supports the EXPORT cipher suites. This allows a man in the middle to negotiate a weaker protocol with the server than the client asked for and then “trick” the client into accepting the weaker key. With the weaker encryption in place, the traffic between the client and server can be more easily decrypted using known attacks on the RSA export encryption.

Resolution

Follow below steps on Linux:
1. Go to ZR server.
3. Go to /opt/novell/zenworks-reporting/js/apache-tomcat/conf and open server.xml (backup original xml file accordingly).
4. Search for <Connector SSLEnabled="true" (if you are unable to find, you can search for keystoreFile also).
5. Add below line after port="8443" :
ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA"

for example..... 
Before:
<Connector SSLEnabled="true" clientAuth="false" keyAlias="tomcat" keystoreFile="/opt/novell/zenworks-reporting/conf/security/server.keystore" keystorePass="password" maxThreads="200" port="8443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS"/>
After:
<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" keyAlias="tomcat" keystoreFile="/opt/novell/zenworks-reporting/conf/security/server.keystore" keystorePass="password" maxThreads="200" port="8443" ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS"/>
 
 

Follow below steps on Windows:
1. Go to ZR server.
3. Go to %ZRS_HOME%/js/apache-tomcat/conf and open server.xml (backup original xml file accordingly).
4. Search for <Connector SSLEnabled="true" (if you are unable to find, you can search for keystoreFile also).
5. Add below line after port="8443" :
ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA"

for example..... 
Before:
<Connector SSLEnabled="true" clientAuth="false" keyAlias="tomcat" keystoreFile="/ZRS_HOME%/conf/security/server.keystore" keystorePass="password" maxThreads="200" port="8443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS"/>
After:
<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" keyAlias="tomcat" keystoreFile="/ZRS_HOME%/conf/security/server.keystore" keystorePass="password" maxThreads="200" port="8443" ciphers="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS"/>