General Troubleshooting: SSLv3 POODLE Vulnerability Issue in Unified CVP 8.5(1)/9.0(1)

From DocWiki

Jump to: navigation, search

General Troubleshooting: SSLv3 POODLE Vulnerability Issue in Unified CVP 8.5(1)/9.0(1)/10.0(1)

Problem Summary To resolve the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability issue in Unified CVP, you must disable SSLv3 on the Unified CVP Reporting Server, Call Server, and Operations Console.
Error Message NA
Possible Cause POODLE is an SSLv3 protocol vulnerability and it allows attackers to:
• Downgrade SSL/TLS protocol to version SSLv3
• Break the cryptographic security

Recommended Action

To resolve the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability issue in Unified CVP, you must disable SSLv3 on the Unified CVP Reporting Server, Call Server, and Operations Console.
Following are the instructions to disable SSLv3,
Step 1 From the Windows Start menu, select Start > Control Panel > Administrative Tools > Services.
a) Highlight the following services:
• CVP CallServer
• Cisco CVP VXMLServer
• CVP Operations Console
• Cisco CVP WebServicesManager
b) Click Stop the service link in the upper left corner of the screen.

Step 2 Backup the server.xml file for the Unified CVP components located in the following path:

• For Call Server
<Install drive:>\Cisco\CVP\CallServer\Tomcat\conf
• For VXML Server
<install drive:>\Cisco\CVP\VXMLServer\Tomcat\conf
• For WebServicesManager(WSM)
<install drive:>\Cisco\CVP\wsm\Server\Tomcat\conf

For Operations Console

<install drive:>\Cisco\CVP\OPSConsoleServer\Tomcat\conf

Step 3 In the Call Server, remove the following line in the server.xml file:

<Listener className="org.apache.catalina.core.AprLifecycleListener"/>
Step 4 In the Call Server, update the SSL connector setting with the attribute sslProtocol="TLS" sslEnabledProtocols="TLSv1"

Sample connector settings:
<Connector SSLCertificateFile="C:\Cisco\CVP\conf\security\callserver.crt" SSLCertificateKeyFile="C:\Cisco\CVP\conf\security\callserver.key" SSLEngine="on" acceptCount="1500" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keyAlias="callserver_certificate"
keystoreFile="C:\Cisco\CVP\conf\security\.keystore" keystorePass="6QZ4u5(]~.C64w6ODcL8la8V_J{-Zcm*x0$7:" keystoreType="JCEKS" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="650" minSpareThreads="25" port="8443" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1"
ciphers="SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_SHA"/>

Step 5 In the VXML Server, update the SSL connector setting with the attribute sslProtocol="TLS" sslEnabledProtocols="TLSv1"

Sample Connector settings:

<Connector SSLCertificateFile="C:\Cisco\CVP\conf\security\vxml.crt" SSLCertificateKeyFile="C:\Cisco\CVP\conf\security\vxml.key" SSLEngine="on" acceptCount="1500" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keyAlias="vxml_certificate" keystoreFile="C:\Cisco\CVP\conf\security\.keystore" keystorePass="6QZ4u5(]~.C64w6ODcL8la8V_J{-Zcm*x0$7:"
keystoreType="JCEKS" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="650" minSpareThreads="25" port="7443" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1" ciphers="SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_SHA"/>

Step 6 In the Operation Console, update SSL connector setting with the attribute sslProtocol="TLS" sslEnabledProtocols="TLSv1"

Sample connector settings:
<Connector SSLCertificateFile="C:\Cisco\CVP\conf\security\oamp.crt" SSLCertificateKeyFile="C:\Cisco\CVP\conf\security\oamp.key" SSLEngine="on" acceptCount="100" disableUploadTimeout="true" enableLookups="false" keyAlias="oamp_certificate" keystoreFile="C:\Cisco\CVP\conf\security\.keystore" keystorePass="6QZ4u5(]~.C64w6ODcL8la8V_J{-Zcm*x0$7:" keystoreType="JCEKS" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="9443" scheme="https" secure="true" sslProtocol="TLS" sslProtocols="TLSv1"/>

Step 7 Web Services Manager – Update SSL connection with the attribute - SSLProtocol="TLSv1"

Sample connector settings:
<Connector SSLCertificateFile="C:\Cisco\CVP\conf\security\oamp.crt" SSLCertificateKeyFile="C:\Cisco\CVP\conf\security\oamp.key" SSLEngine="on" acceptCount="100" disableUploadTimeout="true" enableLookups="false" keyAlias="oamp_certificate"
keystoreFile="C:\Cisco\CVP\conf\security\.keystore" keystorePass="6QZ4u5(]~.C64w6ODcL8la8V_J{-Zcm*x0$7:" keystoreType="JCEKS" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="9443" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1" ciphers="SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_SHA"/>
Step 8 Disable SSLv3 on IIS Web Server
a) Create a subkey at the above location named Server in the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server
b) Set the following two registry keys:
• "Enabled"=dword:00000000
• "DisabledByDefault"=dword:00000001
Step 9 From the Windows Start menu, select Start > Control Panel > Administrative Tools > Services, and restart the following services:
• CVP CallServer
• Cisco CVP VXMLServer
• CVP Operations Console
• Cisco CVP WebServicesManager

Release Release 8.5(1), 9.0(1), and 10.0(1)
Associated CDETS # CSCus00447


<Replace this entire line with the required category or categories. Add double, square brackets at the beginning and end of the category. Select a category from the previous page. Do not enter your own.>

Rating: 0.0/5 (0 votes cast)

Personal tools