Service Manager and the Heartbleed Vulnerability (CVE-2014-0160)



Similar documents
Specific recommendations

SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS

Data Security and Governance with Enterprise Enabler

Print Audit Facilities Manager Technical Overview

Security Advisory Relating to OpenSSL Vulnerability Heartbleed on Various Polycom Products

SSL CONFIGURATION GUIDE

Introduction to Endpoint Security

Introduction to the AirWatch Cloud Connector (ACC) Guide

Product Documentation. Preliminary Evaluation of the OpenSSL Security Advisory (0.9.8 and 1.0.1)

Preparing for GO!Enterprise MDM On-Demand Service

SuperOffice Pocket CRM

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Configuring User Identification via Active Directory

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

How To Secure Your Data Center From Hackers

SMART Vantage. Installation guide

Xerox DocuShare Security Features. Security White Paper

StreamServe Persuasion SP5 StreamStudio

Deploy Remote Desktop Gateway on the AWS Cloud

Ranch Networks for Hosted Data Centers

Introduction to Mobile Access Gateway Installation

Introduction to the EIS Guide

Installation and configuration guide

IUCLID 5 Guidance and Support

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Blue Jeans Network Security Features

Introduction to the Mobile Access Gateway

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

Security Advisory Relating to OpenSSL Vulnerability Heartbleed on Various Polycom Products

Filr 2.0 Administration Guide. April 2016

Setup Guide Access Manager 3.2 SP3

ACE Management Server Deployment Guide VMware ACE 2.0

Installation and configuration guide

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Securing ArcGIS Server Services: First Steps

Configuring ActiveVOS Identity Service Using LDAP

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Installing and Configuring vcenter Multi-Hypervisor Manager

October P Xerox App Studio. Information Assurance Disclosure. Version 2.0

Oracle Collaboration Suite

CA Business Intelligence

Locking down a Hitachi ID Suite server

Web Application Security Assessment and Vulnerability Mitigation Tests

To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

PowerChute TM Network Shutdown Security Features & Deployment

What is the Barracuda SSL VPN Server Agent?

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

TIBCO Spotfire Platform IT Brief

F-Secure Messaging Security Gateway. Deployment Guide

Forward proxy server vs reverse proxy server

SECURITY DOCUMENT. BetterTranslationTechnology

12 Security Camera System Best Practices - Cyber Safe

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

SOA Software: Troubleshooting Guide for Agents

Setup Guide Access Manager Appliance 3.2 SP3

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

IBM Endpoint Manager Version 9.2. Patch Management for SUSE Linux Enterprise User's Guide

TECHNICAL NOTE Stormshield Network Firewall AUTOMATIC BACKUPS. Document version: 1.0 Reference: snentno_autobackup

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Web Application Report


CYAN Secure Web Microsoft ISA Server Deployment Guide

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

NetIQ Access Manager 3.2 integration

Apache Server Implementation Guide

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

CONTENTS. PCI DSS Compliance Guide

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Implementing a secure high visited web site by using of Open Source softwares. S.Dawood Sajjadi Maryam Tanha. University Putra Malaysia (UPM)

CHAPTER 1 - JAVA EE OVERVIEW FOR ADMINISTRATORS

Active Directory Domain Services on the AWS Cloud: Quick Start Reference Deployment Mike Pfeiffer

SharePoint 2013 Business Connectivity Services Hybrid Overview

Security Guide Release 7.3

VMware vcenter Log Insight Security Guide

Tech Titans: Lock it down, securing your Costpoint 7 deployments. Drew Roman, IT Solutions Director WJ Technologies L.L.C. GC-518

How To Use Netiq Access Manager (Netiq) On A Pc Or Mac Or Macbook Or Macode (For Pc Or Ipad) On Your Computer Or Ipa (For Mac) On An Ip

RSA SecurID Ready Implementation Guide

The Use of the Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices

Load Balancing 101: Firewall Sandwiches

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

Remote Authentication and Single Sign-on Support in Tk20

How To Plan A Desktop Workspace Infrastructure

Enabling Single Signon with IBM Cognos 8 BI MR1 and SAP Enterprise Portal

Xerox Mobile Print Cloud

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Owner of the content within this article is Written by Marc Grote

Connection Broker Managing User Connections to Workstations, Blades, VDI, and more. Security Review

How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu (Windows) On A Linux Computer On A Raspberry V

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 Part Number: E April 2016

Oracle WebLogic Server 11g Administration

Transcription:

Service Manager and the Heartbleed Vulnerability (CVE-2014-0160) Revision 1.0 As of: April 15, 2014 Table of Contents Situation Overview 2 Clarification on the vulnerability applicability 2 Recommended mitigation plan 2 Recommended action plan 2 Appendix A 4 HP Service Manager Server (RTE) Using LDAP Proxy Server 4 HP Service Manager Server (RTE) Load Balancer 4 HP Service Manager web tier, Service Request Catalog, and Mobility 4 HP Service Manager Windows client (Eclipse client) 4 SM Server and KM Search Engine Embedded Tomcat Components 5

Situation Overview Per the HP Software bulletin, certain versions of the HP Service Manager product were affected by the Heartbleed vulnerability present in the third party OpenSSL library. Depending on your configuration, you may be impacted (details at the above bulletin and below). Per the bulletin, the following versions of Service Manager include the version of OpenSSL that was found vulnerable. The product versions are: Service Manager 9.32 (including all patches) Service Manager 9.33 (GA, 9.33.p1, 9.33.p1-rev1 & 9.33.p2). To remove any doubt, the following Service Manager Product versions were NOT AFFECTED by the Heartbleed vulnerability: Service Manager versions: 9.30, 9.31, 9.20, 9.21, 7.10, 7.11 ServiceCenter version 6.2 Note: Regardless of the versions listed above, you may still be vulnerable, depending on 3 rd party products that are used for the deployment of Service Manager / ServiceCenter. Please see Appendix A for further details. HP is not responsible for supporting 3 rd party components used to deploy its products and you should treat the guidelines available in Appendix A as recommendations only for further instructions it is recommended to consult with the 3 rd party component vendor. Clarification on the vulnerability applicability Service Manager Server uses OpenSSL to connect to Directory Services Server via the secure LDAP protocol. Secure LDAP is also known as LDAP over SSL (LDAPS). Examples of Directory Services ( DS ) servers are Microsoft Active Directory and Novell edirectory. Even if using the impacted Service Manager versions stated above, your Service Manager deployment is directly impacted only in cases where the SM server is integrated with LDAP using Secure LDAP protocol as illustrated in the diagram below: SM Server (LDAP client) Client Connection DS Server (LDAP server) SM Servers that are not integrated with LDAP or are integrated with LDAP using an unsecure connection are not affected by the vulnerability even if using an affected version. In addition, please take into consideration that in case the SM Server and the DS Server are implemented within an organization s intranet, any possible exploit of the vulnerability must result from attacks originating within the network. Recommended mitigation plan If your organization s architecture is similar to the above, in order to minimize your exposure to the vulnerability you can take the following action until HP releases a fix to the vulnerability: Determine the security of the network infrastructure between SM Server and the DS Sever. Consider whether implementing one or more proxy LDAP severs will mitigate any risks. (For example, if using SM vertical scaling you could implement a nonvulnerable LDAP proxy server on the same physical server as SM to prevent any vulnerable traffic from traversing the network) Recommended action plan 1. Consult with the vendor of your Directory Services server to confirm whether it uses vulnerable versions of OpenSSL. If so, follow the recommendations from the vendor to fix the vulnerability. 2. Apply a newer version of Service Manager which resolves the vulnerability.

Note: The following are follow-up actions that may be required after the environment has been fully patched: Generate new keys and certificates for your Directory Services Server (and proxies as required). Generate new SSL certificates for use by the HP Service Manager Server(s) so that the LDAPS integration to your Directory Services Server is functional. Generate new passwords for all HP Service Manager users/operators. The attack vector on Service Manager itself is smaller than that of the Directory Server given that SM is acting only as a client. You may search for reverse heartbleed for more information.

Appendix A HP Service Manager Server (RTE) Using LDAP Proxy Server Organizations where the DS server is not within the same network as the SM server, or that have architectures similar to the following, are also exposed to the vulnerability: SM Server (LDAP client) LDAP Proxy Server and/or Firewall DS Server (LDAP server) For this scenario, see the action plan above and consider firewall(s), proxy server(s) and the DS server itself in the action plan. HP Service Manager server (RTE) Load Balancer In some organizations, a hardware load balancer is deployed in conjunction with multiple SM servers that may leverage OpenSSL to provide HTTPS traffic encryption and load balancing. This is an optional, advanced deployment configuration. Your hardware load balancer may be impacted if it uses a vulnerable version of OpenSSL. Please see the official vulnerability details for the affected versions, and consult the manufacturer of your device to determine whether you are impacted. If you are using a vulnerable version, you should follow the recommended steps provided by the official vulnerability information and your device manufacturer. If the hardware load balancer that provides HTTPS for HP SM server is impacted, an attacker could have retrieved SM usernames and passwords as well as any HP SM business data that transits through the hardware load balancer. Please note this is the case for any application whose traffic transits through vulnerable servers, and is not specific to HP SM server. It is up to your administrators to take follow-up actions if deemed necessary after patching the issue on your hardware load balancer device(s). Such follow-up actions include the generation new keys on your web server, revocation of old certificates and re-issuance of passwords for all HP SM Server users, etc. HP Service Manager web tier, Service Request Catalog, and Mobility The HP Service Manager web tier does not use OpenSSL and is not directly impacted by the Heartbleed vulnerability. However, it is common in SM Production environments to deploy a web server and/or hardware load balancer device in conjunction with SM web tier servers that may leverage OpenSSL to provide HTTPS traffic encryption. Although the HP SM web tier is not directly impacted, your web server and hardware load balancer may be impacted if it uses a vulnerable version of OpenSSL. Please see the official vulnerability details for the affected versions and consult with your web server vendor and/or device manufacturer to determine whether you are impacted. If you are using a vulnerable version, you should follow the official steps provided by your web server vendor and/or device manufacturer. If the web server or hardware load balancer that provides HTTPS for the HP SM web tier is impacted, an attacker could have retrieved SM usernames and passwords as well as any HP SM business data that transits through the Web server. Please note this is the case for any application whose traffic transits through vulnerable servers, and is not specific to HP SM web tier. Your administrators should take follow-up actions if deemed necessary after the issue is patched on your web server and/or hardware load balancer device(s). Such follow-up actions include the generation new keys on your web server or hardware load balancer, revocation of old certificates, and re-issuance of passwords for all HP SM Server users, etc. HP Service Manager Windows client (Eclipse client) The HP Service Manager Windows client does not use OpenSSL and is not directly impacted by the Heartbleed vulnerability. However, it is possible in SM production environments to deploy a hardware load balancer device in conjunction with the SM Windows client(s) that may leverage OpenSSL to provide HTTPS traffic encryption. Although the HP SM Windows client is not directly impacted, your hardware load balancer may be impacted if it uses a vulnerable version of OpenSSL. Please see the official vulnerability details for the affected versions and consult the manufacturer of your

device to see whether you are impacted. If you are using a vulnerable version, you should follow the official steps provided by your device manufacturer. If the hardware load balancer that provides HTTPS for the HP SM Windows client is impacted, an attacker could have retrieved SM usernames and passwords as well as any HP SM business data that transits through the hardware load balancer. Please note this is the case for any application whose traffic transits through vulnerable servers, and is not specific to the HP SM Windows client. Your administrators should take follow-up actions if deemed necessary after patching the issue on your hardware load balancer device(s). Such follow-up actions include the generation new keys on your hardware load balancer, revocation of old certificates, and re-issuance of passwords for all HP SM client users, etc. SM Server and KM Search Engine Embedded Tomcat Components The SM server ships a version of Tomcat that has no HTTPS connectors enabled default. Therefore, out of the box installations are not affected. However, if you reconfigured or customized the HTTPS connector to use the Apache Portable Runtime or APR (HP does not recommend or document how to do this) you may be impacted. For example, if both of the following lines exist in your customized SM server s Tomcat server.xml, you will be affected by the OpenSSL issue: <Listener classname="org.apache.catalina.core.aprlifecyclelistener" SSLEngine="on" /> <!-- Define a APR SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector protocol="org.apache.coyote.http11.http11aprprotocol" port="8443".../> If you have customized the configuration as noted above, the proposed solution is to remove the APR line in server.xml as mentioned below: 1. Navigate to the server.xml file. For the SM Server: <SM_Dir>/RUN/tomcat/server.xml For the KM Search Engine: <KM_SearchEngine_Dir>/tomcat/conf/server.xml 2. Remove or comment out the following line from the file: <Listener classname="org.apache.catalina.core.aprlifecyclelistener" SSLEngine="off" /> 3. Change HTTPS connectors configuration as follows: from <Connector protocol="org.apache.coyote.http11.http11aprprotocol" port="8443".../> to <Connector protocol="org.apache.coyote.http11.http11protocol" port="8443".../> 4. Restart Tomcat. 5. Revoke the server certificates that are used in Tomcat and generate new ones.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information