Disable SSLv3 in Web Reporter to protect against POODLE vulnerability

Version 5

     

    Introduction

     

    Web Reporter currently allows connecting to the secure user interface using the SSL 3.0 protocol and also uses SSL 3.0 to connect to some log sources for log collection purposes.  Due to the recent discovery of the POODLE vulnerability, it is recommended to disable SSL 3.0 to protect against this vulnerability.

     

    Solution

     

    Upgrade Web Reporter to a version that contains a fix for this vulnerability.  See McAfee KnowledgeBase - Web Reporter response to CVE-2014-3566 (POODLE vulnerability) for further information on upgrading.

     

    Workaround to disable SSL 3.0 for the HTTPS UI

     

    The following steps allow SSL 3.0 to be disabled for secure connections to the HTTPS UI.  Clients must be using Java 7.x or greater when using this workaround, as differences in Java 6.x will cause the UI to not load.  This will NOT prevent Web Reporter from connecting to log sources using SSL 3.0 to collect log files.

     

    1. Navigate to <Web Reporter install directory>\reporter\jboss\server\default\deploy\jboss-web.deployer\.
    2. Make a backup of the server.xml file located in this directory.
    3. Stop the Web Reporter Server service.
    4. Open the server.xml file with a text editor and go to line 36.  Around this line you will find text similar to:

    <Connector port="9112" protocol="HTTP/1.1" SSLEnabled="true"

                   maxThreads="150" scheme="https" secure="true"

                   clientAuth="false" sslProtocol="TLS"

                   keystoreFile="${jboss.server.home.dir}/conf/servercacerts"

                   keystorePass="password"/>

     

       5. Add the line sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" to this section so that it looks like:

    <Connector port="9112" protocol="HTTP/1.1" SSLEnabled="true"

                   maxThreads="150" scheme="https" secure="true"

                   clientAuth="false" sslProtocol="TLS"

                   keystoreFile="${jboss.server.home.dir}/conf/servercacerts"

                   keystorePass="password"

                   sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"/>


       6. Save the file and then start the Web Reporter Server service.

     

    Once the service is started, SSL 3.0 will be disabled for the HTTPS UI.