Disable SSLv3 in Content Security Reporter (CSR) 2.x to protect against POODLE vulnerability

Version 7

     

    Introduction

     

    Content Security Reporter versions less than 2.1 build 291 allow connecting to the secure communication interface using the SSL 3.0 protocol.  This interface is not accessed through a web browser, but instead is used by ePO for internal communication to make configuration changes to CSR.  CSR also uses SSL 3.0 to connect to some log sources for log collection purposes.  Due to the recent discovery of the POODLE vulnerability, it is recommended to disable SSL 3.0 to protect against this vulnerability.

     

    Problem

     

    Aside from the security risk present by not updating to the version of CSR where this issue is resolved, it will also not be possible to collect from any McAfee SaaS Web Protection Service log sources.  The SaaS servers have been updated to no longer allow the use of any secure protocol less than TLS 1.0, so the collection will fail until CSR is upgraded to version 2.1 build 291.

     

    Solution

     

    Upgrade Content Security Reporter to a version that contains a fix for this vulnerability.  See McAfee KnowledgeBase - Content Security Reporter response to CVE-2014-3566 (POODLE vulnerability) for further information on upgrading.

     

     

    Workaround to disable SSL 3.0 for Content Security Reporter 2.x secure communication interface

     

    NOTE: This workaround will not disable the use of SSL 3.0 when CSR connects to log sources to collect log files.

     

    1. Navigate to <Content Security Reporter install directory>\reporter\jboss\standalone\configuration\.
    2. Make a backup of the standalone-csr.xml file located in this directory.
    3. Stop the Content Security Reporter Server service.
    4. Open the standalone-csr.xml file with a text editor and go to line 260.  Around this line you will find text similar to:

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

                    <ssl name="https" password="password" certificate-key-file="${jboss.server.config.dir}/servercacerts"/>

            </connector>

     

       5. Add sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" to the second line of this section so that it looks like:

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

                    <ssl name="https" password="password" certificate-key-file="${jboss.server.config.dir}/servercacerts" protocol="TLSv1,TLSv1.1,TLSv1.2"/>

            </connector>


       6. Save the file and then start the Content Security Reporter Server service.

     

    Once the service is started, SSL 3.0 will be disabled for the secure communication interface.