Protecting TIBCO iProcess Suite from POODLE

Products	Versions
TIBCO iProcess Client (ASP)	-
TIBCO iProcess Engine (DB2)	-
TIBCO iProcess Engine (SQL)	-

Description

Description:

The recently discovered POODLE issue with SSL (CVE-2014-3566), detailed at https://www.openssl.org/news/secadv_20141015.txt, allows an attacker (a man-in-the-middle) to decrypt ciphertext using a padding oracle side-channel attack. However, Transport Layer Security (TLS), the newer encryption mechanism is not affected by POODLE.

TIBCO iProcess(R) Engine

TIBCO iProcess(R) Engine 11.4.1 embeds Apache Tomcat 7.0.40 which can be configured not to use SSL V3.

Customers are recommended to refer to the following sites which provide advice on how to disable SSLv3 in Apache Tomcat:

• https://wiki.apache.org/tomcat/Security/POODLE
• https://access.redhat.com/solutions/1232233

TIBCO iProcess(R) Workspace (Browser)

TIBCO iProcess(R) Workspace (Browser) and the underlying Action Processor can be hosted independently on Web Servers. The installation guides provide examples of installing them in Apache Tomcat and Microsoft IIS.

Customers are recommended to refer to the sites mentioned above or to the following if IIS is being used:

• https://technet.microsoft.com/en-us/library/security/3009008.aspx

TIBCO iProcess(R) Workspace Lite

TIBCO iProcess(R) Workspace Lite is hosted in an application server and relies on the Action processor from iProcess Workspace (Browser) which must be similarly hosted. Please refer to the recommendations above for iProcess Workspace (Browser).

TIBCO iProcess(R) Client (JSP)

TIBCO iProcess(R) Client (JSP) can be hosted on a number of Web/Application Servers such as: Apache Tomcat, JBoss, IBM WebSphere and Oracle WebLogic. Customers are recommended to refer to the appropriate documentation to ensure the security of their installation:

•   Apache Tomcat https://wiki.apache.org/tomcat/Security/POODLE
•   Apache Tomcat and JBoss https://access.redhat.com/solutions/1232233
•   IBM WebSphere http://www-01.ibm.com/support/docview.wss?uid=swg21687189
•   Oracle WebLogic Server http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html

TIBCO iProcess(R) Client (ASP)

TIBCO iProcess(R) Client (ASP) is hosted by Microsoft IIS. Customers are recommended to refer to the sites mentioned above or to the following if IIS is being used:

• https://technet.microsoft.com/en-us/library/security/3009008.aspx

TIBCO iProcess(R) Technology Plug-ins

TIBCO iProcess(R) Technology Plug-ins utilize TIBCO Enterprise Message Service(TM) for communication between TIBCO iProcess and TIBCO ActiveMatrix BusinessWorks. Enterprise Message Service(TM) can be configured to use secure communications with SSL. Please follow the guidance for Enterprise Message Service

TIBCO iProcess(R) Web Services Plug-in

TIBCO iProcess(R) Web Services Plug-in embeds Jetty Web Server 6.1.25. This version of Jetty can be reconfigured such that the SSL Connector (if configured) will not accept the SSLv3 protocol.

This is only applicable if iProcess Web Services Server Plug-in was configured to use SSL during installation.

1) Modify the $JETTY_HOME/etc/jetty-ssl.xml file, and add the following section within the
<New class="org.mortbay.jetty.security.SslSocketConnector"> tag:

         <Set name="ExcludeCipherSuites">
             <Array type="java.lang.String"> <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Item>
<Item>TLS_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384</Item>
<Item>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
               <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
               <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>

<Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
               <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_EMPTY_RENEGOTIATION_INFO_SCSV2</Item>

<Item>TLS_DH_anon_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DH_anon_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DH_anon_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DH_anon_WITH_AES_128_CBC_SHA</Item>

<Item>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
               <Item>TLS_RSA_WITH_NULL_SHA256</Item>
               <Item>TLS_ECDHE_ECDSA_WITH_NULL_SHA</Item>
               <Item>TLS_ECDHE_RSA_WITH_NULL_SHA</Item>
               <Item>SSL_RSA_WITH_NULL_SHA</Item>
               <Item>TLS_ECDH_ECDSA_WITH_NULL_SHA</Item>
               <Item>TLS_ECDH_RSA_WITH_NULL_SHA</Item>
               <Item>SSL_RSA_WITH_NULL_SHA</Item>
               <Item>TLS_ECDH_ECDSA_WITH_NULL_SHA</Item>
               <Item>TLS_ECDH_RSA_WITH_NULL_SHA</Item>
               <Item>TLS_ECDH_anon_WITH_NULL_SHA</Item>
               <Item>SSL_RSA_WITH_NULL_MD5</Item>
               <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
               <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
               <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
               <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>

<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>

<Item>TLS_KRB5_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_KRB5_WITH_3DES_EDE_CBC_MD5</Item>
               <Item>TLS_KRB5_WITH_DES_CBC_SHA</Item>
               <Item>TLS_KRB5_WITH_DES_CBC_MD5</Item>

<Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
<Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item>

               </Array>
         </Set>

2) Restart Jetty

Troubleshooting:

The above change limits the Cipher Suites that Jetty uses for SSL to RC4 based Ciphers, it is therefore important to ensure that the key being used for SSL can be used for this. If this is not the case, the following error will be reported:

30-Oct-2014 10:12:53 org.mortbay.log.Slf4jLog warn
WARNING: EXCEPTION
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
         at
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
         at
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
         at
org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:197)
         at
org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:708)
         at
org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)

The resolution to this issue is to create a new key using a supported Key Algorithm.

Issue/Introduction

Protecting TIBCO iProcess Suite from POODLE

Welcome to "KB Articles"