Products | Versions |
---|---|
Not Applicable | - |
Description:
Except TIBCO Hawk Web Console application, TIBCO Hawk is not directly affected by POODLE vulnerability as it relies on TIBCO EMS for communication with TIBCO Hawk agents, and TIBCO EMS has addressed this vulnerability. To guard against the POODLE security vulnerability, also known as CVE-2014-3566, latest version or patch/hot-fix of TIBCO EMS needs to be used which has now disabled the SSLv3 protocol, preferring the use of the TLS 1.x protocol instead.
TIBCO Hawk Web Console application which is a component of TIBCO Hawk is hosted on Apache Tomcat servlet container and HTTP server (Tomcat v7.0.52). TIBCO Hawk Web Console client(HTTP browsers) may use SSLv3 for secured communication, and hence are vulnerable to POODLE or CVE-2014-3566 security flaw. To address this Apache Tomcat has advised configuration changes to disable SSLv3 and instead use TLS 1.x for securing HTTP communication channel. More information on this configuration is available at Tomcat WIKI at:http://wiki.apache.org/tomcat/Security/POODLE
After this configuration change existing HTTP clients that do not use TLS 1.0 or higher will be incompatible and connections will fail with a "Handshake error". Updating the clients to use TLSv1 or higher, will resolve this. Please also note that as TLS 1.x is supported by JAVA 7 and above; Java 6 based clients will not be able to connect with the server.
HTTP clients (browsers) also have come out with plan to address POODLE vulnerability as below.
· Both Chrome and Firefox already announced that they are going to disable the SSL 3.0 support by default. Firefox 34, with SSL 3.0 disabled, will be released on 25th November, 2014. If you want to disable SSL 3.0 on Firefox now, you can use the plugin SSL Version Control. Chrome has already issued a patch to disable SSL 3.0.
· Microsoft has released guidelines to address POODLE vulnerability at https://technet.microsoft.com/en-us/library/security/3009008.aspx.
TIBCO Hawk Web Console application will move to the latest Tomcat distribution which will be pre-configured to disable SSLv3 at the next opportunity when a service pack or a hot-fix will be released.