{"id":9055,"date":"2015-07-09T10:17:39","date_gmt":"2015-07-09T02:17:39","guid":{"rendered":"http:\/\/w3c.weblink.com.tw\/symantec\/?p=9055"},"modified":"2015-07-09T10:17:40","modified_gmt":"2015-07-09T02:17:40","slug":"symantec-dlp-and-poodle-ssl-3-0-protocol-weakness-cve-2014-3566","status":"publish","type":"post","link":"https:\/\/w3c.weblink.com.tw\/symantec\/?p=9055","title":{"rendered":"Symantec DLP and POODLE SSL 3.0 protocol weakness (CVE-2014-3566)"},"content":{"rendered":"
Problem<\/h5>\n

 <\/p>\n

Symantec Data Loss Prevention uses the SSL\/TLS protocol to secure netwok communications. SSL\/TLS channels are used between the client browser and the Enforce Server, the Enforce Server and detection servers, as well as between the Endpoint Server and DLP Agents. The SSL\/TLS channel between the client browser and the Enforce Server administration console may use SSL 3.0.<\/p>\n

SSL 3.0 uses nondeterministic CBC padding in certain ciphers, which makes it easier for man-in-the-middle attackers to obtain clear-text data via a padding-oracle attack (dubbed POODLE – Padding Oracle On Downgraded Legacy Encryption).<\/p>\n

Solution<\/h5>\n

 <\/p>\n\n\n\n\n\n\n
\n

SSL\/TLS Channel<\/strong><\/p>\n<\/td>\n

\n

Protocol<\/strong><\/p>\n<\/td>\n

\n

Impact<\/strong><\/p>\n<\/td>\n

\n

Comments<\/strong><\/p>\n<\/td>\n<\/tr>\n

Web browser <–> Enforce Server administration console<\/td>\nSSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2<\/td>\nAffected (not vulnerable)<\/td>\n\n

Action required<\/u>. <\/p>\n

Depending on the Data Loss Prevention version, SSL 3.0 support can be disabled in the web browser, or by updating the tomcat configuration. Updating tomcat’s configuration is the recommended<\/strong> and long-term approach, as this will ensure SSL 3.0 is never negotiated with the browser. <\/p>\n

Data Loss Prevention 11.6.x and 12.x
<\/strong>SSL 3.0 can be disabled either by updating the tomcat server configuration, or in the web browser. <\/p>\n

To disable SSL 3.0 support via the tomcat server configuration files: <\/p>\n

    \n
  1. In server.xml (typically inC:\\SymantecDLP\\Protect\\tomcat\\conf\\ on Windows), addsslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1″ to the HTTPS Connector configuration (<Connector …).\n
  2. Restart the Vontu Manager service.<\/li>\n<\/ol>\n

    To disable SSL 3.0 support in the web browser, follow the steps outlined below for Data Loss Prevention version 11.5.x and earlier. <\/p>\n

    Data Loss Prevention 11.5.x and earlier<\/strong> <\/p>\n

    SSL 3.0 support must be disabled in the web browser. <\/p>\n

    In Firefox: <\/p>\n

      \n
    1. Type about:config in the URL bar.\n
    2. Set security.tls.version.min to 1, andsecurity.tls.version.max to 3. Refer to this<\/a> link for details.<\/li>\n<\/ol>\n

      In Internet Explorer: <\/p>\n

        \n
      1. Go to Settings\/Tools > Internet Options > Advanced tab.\n
      2. Uncheck “Use SSL 3.0”.\n
      3. Click Apply.\n
      4. Click Okay.<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n
Enforce Server <–> detection servers<\/td>\nTLS 1.0, TLS 1.1, TLS 1.2<\/td>\nNot Affected<\/td>\n\n

No action required<\/u>. <\/p>\n

Enforce and Detection servers use TLS protocol by default for communication.<\/p>\n<\/td>\n<\/tr>\n

Endpoint Server <–> DLP Agents<\/td>\nTLS 1.0, TLS 1.1, TLS 1.2<\/td>\nNot Affected<\/td>\n\n

No action required<\/u>. <\/p>\n

Endpoint Server and DLP Agents use TLS by default for communication.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

  <\/p>\n

References<\/h5>\n

https:\/\/support.symantec.com\/en_US\/article.TECH225739.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Problem   Symantec Data Loss Prevention uses the S … \u95b1\u8b80\u5168\u6587 Symantec DLP and POODLE SSL 3.0 protocol weakness (CVE-2014-3566)<\/span><\/a><\/p>\n","protected":false},"author":19,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[126],"tags":[],"class_list":["post-9055","post","type-post","status-publish","format-standard","hentry","category-ssl-3-0-"],"_links":{"self":[{"href":"https:\/\/w3c.weblink.com.tw\/symantec\/index.php?rest_route=\/wp\/v2\/posts\/9055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/w3c.weblink.com.tw\/symantec\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/w3c.weblink.com.tw\/symantec\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/w3c.weblink.com.tw\/symantec\/index.php?rest_route=\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/w3c.weblink.com.tw\/symantec\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9055"}],"version-history":[{"count":1,"href":"https:\/\/w3c.weblink.com.tw\/symantec\/index.php?rest_route=\/wp\/v2\/posts\/9055\/revisions"}],"predecessor-version":[{"id":9056,"href":"https:\/\/w3c.weblink.com.tw\/symantec\/index.php?rest_route=\/wp\/v2\/posts\/9055\/revisions\/9056"}],"wp:attachment":[{"href":"https:\/\/w3c.weblink.com.tw\/symantec\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/w3c.weblink.com.tw\/symantec\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/w3c.weblink.com.tw\/symantec\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}