Sign in to follow this  
Followers 0
Dario

SECURITY BULLETIN PBS14-01 -- SSL 3.0 protocol/POODLE Bug (CVE-2014-3566)

1 post in this topic

DESCRIPTION:

Altair Engineering is releasing this advisory to customers running PBS Works (Compute Manager, Display Manager, Results Visualization Service, Simulation Manager, Access Management Service, PBS Application Services) to alert them of a security vulnerability. This vulnerability affects customers whose network policies allow arbitrary systems to directly connect to the PBS Works server when encrypted connections (HTTPS) to the PBS Works services are enabled. The vulnerability affects the SSL 3.0 protocol and is known as POODLE Bug or POODLEbleed. An attacker who successfully exploits this vulnerability could intercept data that’s supposed to be encrypted.

 

SEVERITY RATING: Critical

 

RECOMMENDATION:

Altair recommends that customers who allow arbitrary systems to have direct network access to the PBS Works system either apply an updated version or fix their configuration as outlined below in a timely fashion. 

 

AFFECTED SOFTWARE:

All versions of PBS Works prior to v12.1.0

 

SCHEDULE OF AVAILABILITY OF UPDATE:

PBS Works 12.1.0 Available Nov 2nd

 

NOTE: Altair advises customers running any release prior to v12.1.0 to update.

 

SECURITY UPDATE:

The updates and packages are being made available to all customers running PBS Works with current maintenance and support contracts.

 

INSTRUCTIONS TO OBTAIN UPDATE:

Please send an email to:

pbssupport@altair.com OR pbssales@altair.com

 

Or use https://connect.altair.com/ to request the latest version.

 

Please include the version of PBS Professional you are running,

the operating system you are using, and the hardware/platform you are running on. 

This will help us expedite your request.

 

 

SUGGESTED SECURITY FIX WHEN UPGRADE IS NOT POSSIBLE:

In <PORTAL_HOME>/thirdparty/apache/tomcat/conf/server.xml file of installed Compute Manager find the following section:

 

<Connector

port="8443" maxThreads="200"

scheme="https" secure="true" SSLEnabled="true"

clientAuth="false" sslProtocol="TLS"

keystoreFile="${HWE_INSTALLATION_DIRECTORY}/config/ams.keystore"

keystorePass="changeit”/>

 

Modify the above to list only the following SSL protocols:

sslProtocols="TLSv1, TLSv1.1, TLSv1.2"

 

As in this sample:

 

<Connector

port="8443" maxThreads="200"

scheme="https" secure="true" SSLEnabled="true"

clientAuth="false" sslProtocols="TLSv1, TLSv1.1, TLSv1.2"

keystoreFile="${HWE_INSTALLATION_DIRECTORY}/config/ams.keystore"

keystorePass="changeit”/>

 

In order to verify the fix one can use e.g. the tool provided by Symantec: (http://www.symantec.com/connect/blogs/ssl-30-vulnerability-poodle-bug-aka-poodlebleed) or some other similar tool, which are now widely available.

 

 

For further information see also:




 

Please contact pbssupport@altair.com or pbssales@altair.com if you need additional information. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0