TIBCO Ajax Message Service and the POODLE vulnerability (CVE-2014-3566)

TIBCO Ajax Message Service and the POODLE vulnerability (CVE-2014-3566)

book

Article ID: KB0108196

calendar_today

Updated On:

Products Versions
TIBCO Ajax Message Service Enterprise Edition -
Not Applicable -

Description

Description:
Google's researchers recently discovered a new vulnerability affecting the SSL protocol. POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption, allows an attacker (a man-in-the-middle) to decrypt ciphertext using a padding oracle side-channel attack. Full details are available in this Google paper.

POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.0. It does not affect Transport Layer Security (TLS), the newer encryption mechanism.

TIBCO Ajax Message Service relies on the underlying Java Virtual Machine (JVM) for the implementation of the SSL and TLS encryption and cipher suites. While waiting for the availability of a JVM upgrades that avoids SSL 3.0 by default, we recommend configuring Ajax Message Service to prevent the use of SSL 3.0 for all HTTPS and WSS connections.


HOW TO DISABLE SSLv3 IN AJAX MESSAGE SERVICE

NOTE: Disabling SSLv3 in Ajax Message Service is only possible starting from version 5.1.1. If you are using an older version of Ajax Message Service, we recommend you to upgrade to the latest version (currently, 5.1.2).


To disable SSLv3, edit lightstreamer_conf.xml to configure the allowed protocols for each listening port that enables HTTPS. This corresponds to each <https_server> block and, possibly, to the <rmi_connector> block inside <jmx>, if configured for SSL communication.

By default, the AMS Server allows all protocols available in the Java implementation. But if at least one <allow_protocol> element is present in the block, only the specified protocols will be allowed.

So, just insert in each block the following lines:


    <allow_protocol>TLSv1</allow_protocol>
    <allow_protocol>TLSv1.1</allow_protocol>

    <allow_protocol>TLSv1.2</allow_protocol>



Note that the <allow_protocol> element is not documented and not shown in the factory configuration file for the current 5.1.x versions. Again, note that it was not available before Ajax Message Service version 5.1.1

A list of the protocols enabled for each port affected by the settings will be logged at startup on the LightstreamerLogger.init logger at INFO level.

If you have any questions, reach out to TIBCO support team at support@tibco.com.

Environment

All supported platforms

Issue/Introduction

TIBCO Ajax Message Service and the POODLE vulnerability (CVE-2014-3566)
Powered by Wolken Software