-
Title
Is Management Console for Unix affected by the DROWN vulnerability? CVE-2016-0800 - How to disable SSLv2 / SSLv3 ? -
Description
Is Management Console for Unix affected by the DROWN vulnerability? CVE-2016-0800
'Decrypting RSA with Obsolete and Weakened eNcryption' - DROWN
More information on the DROWN issue can be found at the following links:
https://drownattack.com/
CVE-2016-0800:
https://www.openssl.org/news/secadv/20160301.txtNote that this same resolution will also disable SSLv2 and SSLv3.
-
Resolution
This vulnerability only affects SSL version 2.
Therefore in order to resolve this issue, the underlying web server (Jetty) should have SSLv2 disabled.
This is done via the jetty.xml file.
On Windows the jetty.xml file will be in this location assuming default install:
C:\Program Files (x86)\Quest Software\Management Console for Unix\etc\jetty.xml
On Unix or Linux it will be in this location:
/opt/quest/mcu/etc/jetty.xml
The file can be edited using notepad or vi.Replace the following section:----------<Call name="addConnector"><Arg><!--BlockingIO.org.eclipse.jetty.server.ssl.SslSocketConnectorNonBlockingIO.org.eclipse.jetty.server.ssl.SslSelectChannelConnectorhttp://wiki.eclipse.org/Jetty/Howto/Configure_Connectors--><New class="org.eclipse.jetty.server.ssl.SslSocketConnector"><Set name="Port"><SystemProperty name="port.https" default="443"/></Set><Set name="maxIdleTime">30000</Set><Set name="keystore"><SystemProperty name="jetty.keystorePath" /></Set><Set name="password"><SystemProperty name="jetty.keystorePassword" /></Set><Set name="keyPassword"><SystemProperty name="jetty.keyPassword" /></Set><Set name="truststore"><SystemProperty name="jetty.truststorePath" /></Set><Set name="trustPassword"><SystemProperty name="jetty.trustPassword" /></Set><Set name="requestHeaderSize">65536</Set><Set name="responseHeaderSize">65536</Set>----------
With:
----------<New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory"><Set name="KeyStore"><SystemProperty name="jetty.keystorePath" /></Set><Set name="KeyStorePassword"><SystemProperty name="jetty.keystorePassword" /></Set><Set name="KeyManagerPassword"><SystemProperty name="jetty.keyPassword" /></Set><Set name="TrustStore"><SystemProperty name="jetty.truststorePath" /></Set><Set name="TrustStorePassword"><SystemProperty name="jetty.trustPassword" /></Set><Set name="ExcludeProtocols"><Array type="java.lang.String"><Item>SSLv3</Item><Item>SSLv2</Item></Array></Set></New><Call name="addConnector"><Arg><New class="org.eclipse.jetty.server.ssl.SslSocketConnector"><Arg><Ref id="sslContextFactory" /></Arg><Set name="Port"><SystemProperty name="port.https" default="443"/></Set><Set name="maxIdleTime">30000</Set><Set name="requestHeaderSize">65536</Set><Set name="responseHeaderSize">65536</Set>----------
Afterwards the service will need to be restarted.
On Windows servers:
Start > Run > services.msc find 'Quest One Management Console for Unix' then right click and select Restart.
On Unix or Linux the following command will restart the service:
# /opt/quest/mcu/mcu_service restart