Is Cloud Access Manager vulnerable to the SSLv3 POODLE attack? (4278108)

A vulnerability has been discovered in the aging SSLv3 security protocol that can allow access to cookies and other sensitive data from a webserver that supports SSLv3. Even, if like Cloud Access Manager, the webserver supports modern security protocols in addition to SSLv3, it may still be at risk via a security protocol downgrade attack.

RESOLUTION: Disable SSLv3 support in front-end browser access to the Cloud Access Manager proxy by making the following change(s) in the server.xml file on all deployed proxy servers:

1. Take a backup copy of C:\Program Files\Dell\Software\Cloud Access Manager Proxy\conf\server.xml.

2. Open C:\Program Files\Dell\Software\Cloud Access Manager Proxy\conf\server.xml for edit.

3. In the tag for ‘Connector port="443"’ replace the ‘SSLProtocol="TLS"’ parameter with the new parameter: sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

NOTE: The parameter must be typed exactly as shown above and is case sensitive. If mis-typed the the change may not be applied. If the change is not being picked up ten you can check the logs and catalina.txt for an error similar to this one.

[WARN] [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslenabledProtocols' to 'TLSv1, TLSv1.1, TLSv1.2' did not find a matching property.

4. If you have a Front End Authenticator configured for Smartcard authentication then you will need to repeat the above step for the connector handling the port configured for Smartcard authentication, e.g. port 8443.

5. Save and close the server.xml file.

6. Restart the Cloud Access Manager proxy service.

To verify that you have disabled SSLv3 successfully you can use a tool such as OpenSSL or TestSSLServer. For example if you have OpenSSL available (download it for Windows here: OpenSSL Binaries), run this command to connect to your webserver:

openssl s_client -connect www.webapps.cloudaccessmanager.com:443 -ssl3

Before the server.xml change you will be able to connect to your webserver, after the change it will return a “wrong version number” message. Only changing the –ssl3 parameter for -tls1 will now allow the connection.

Or if your site is available externally you can use the SSL Labs analyzer service to test your site:

1. Go to SSL LABS

2. Enter your proxy hostname in the Domain field.

3. Check the “Do not show the results on the boards” option.

4. Submit to get a security report on your site. It should clearly show that SSLv3 is disabled and the site is not vulnerable to a POODLE attack.

Back-end connections from the reverse proxy to application webservers are not vulnerable unless the application only supports SSLv3. However, if an application can also be accessed directly without going via Cloud Access Manager, then it may still be vulnerable to this exploit and so it is the responsibility of the system administrator to ensure that each application does not support the SSLv3 protocol where at all possible.