Page tree
Skip to end of metadata
Go to start of metadata

This patch repairs the POODLE (Padding Oracle On Downgraded Legacy Encryption) security vulnerabilities for communication between Application Diagnostics Agents for Java and Application Diagnostics Server components.

After installing the patch, you can no longer use SSL 3.0, and specifically the RC4 protocol.

Do you need to install this patch?

This patch is intended for Application Diagnostics version 2.6.10. For earlier versions of Application Diagnostics Server, first upgrade the Server components to 2.6.10. The Agents are upgraded with the patch scripts.

If you have questions about whether to install this patch, contact BMC Customer Support.

Warning

After you upgrade the Application Diagnostics Server, the Agent for .NET can no longer monitor application servers running on Windows 2003.

A workaround enables monitoring of Windows 2003 application servers, but the workaround does not remove the POODLE security vulnerability.

This notification contains the following topics:

Downloading the patch

See Downloading the installation files for BMC Application Diagnostics and select the Patches tab.

Patch contents

File nameDescriptions
readme.txtPatch description and installation instructions
adops-agent-upgrade.batPatch upgrade script for the Agent for Java on Windows
adops-agent-upgrade.shPatch upgrade script for the Agent for Java on Linux
adops-agent-install.batInstallation script for version 2.6.10.15 of Agent for Java on Windows
adops-agent-install.shInstallation script for version 2.6.10.15 of Agent for Java on Linux
agentInstaller.jarUpgraded JAR file, used by the Agent for Java
common-server.jarUpgraded JAR file to replace the file for each Application Diagnostics Server component
portal.jarUpgraded JAR file to replace the file in the Application Diagnostics Portal

Applying the Patch

To apply the patch, first patch the Application Diagnostic Server components, then upgrade each Agent for Java, as instructed in the following sections.

To apply the patch to the Application Diagnostic Server components

Replace the required file on the Application Diagnostics Portal, Collector, and Proxy servers, and modify the property files as instructed.

If the Portal, Collector, and APM Proxy are installed on the same computer, replace the file once, otherwise, replace it for each installation.

  1. Stop the service or services.
  2. In the server installation directory, under the common/lib directory, replace common-server.jar with the file in this patch.

    The following file paths show the default installation directory:

    • (Windows) C:\Program Files\BMC Software\BMC Application Diagnostics\common\lib

    • (Linux) /opt/bmc/BMC_Application_Diagnostics/common/lib

  3. In the Portal installation directory, under portal/lib directory, replace the portal.jar with the file in this patch.

    The following file paths show the default installation directory:

    (Windows) C:\Program Files\BMC Software\BMC Application Diagnostics\portal\lib

    (Linux) /opt/bmc/BMC_Application_Diagnostics/portal/lib

  4. Open the properties file for each component in a text editor:

    • Portal: installationDirectory\portal\properties\portal.properties

    • Collector: installationDirectory\collector\properties\collector.properties

    • APM Proxy: installationDirectory\apm-proxy\properties\apm-proxy.properties

  5. For each component properties file, add the following lines for the tomcat.ciphers and the tomcat.ssl.enabled.protocols properties:

    # A comma separated list of encryption ciphers to support for HTTPS connections. Spaces between list items are not allowed.
    tomcat.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
    
    #The comma separated list of SSL protocols to support for HTTPS connections. Spaces between list items are not allowed.
    #Default Value: TLSv1,TLSv1.1,TLSv1.2
    tomcat.ssl.enabled.protocols=SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2
  6. Restart the service or services.

To apply the patch to the Agent for Java

On each computer with an Agent for Java, run the included adops-agent-upgrade file that is appropriate for your environment. Use the -skipVer option to upgrade the Agent, regardless of version:

  • Windows
    adops-agent-upgrade.bat -s -d installationDirectory -skipVer
  • Linux
    ./adops-agent-upgrade.sh -s -d installationDirectory -skipVer

Replace installationDirectory with the full path to the existing Application Diagnostics Agent installation directory, which must include the ADOPsInstall directory. For example: c:\BMC Software\ADOPs\ADOPsInstall

For complete upgrade instructions, see Upgrading the Diagnostics Agent for Java.

To install a new Agent for Java

You can install an Agent for Java on an application server where an agent is not installed. The following silent installation command uses the default values for Agent installation:

  • Windows
    adops-agent-install.bat -s -a application_display_name
  • Linux
    ./adops-agent-install.sh -s -a application_display_name


Replace application_display_name with the display name of the application that the Agent monitors. The value is required and can include up to 255 alphanumeric Latin characters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) - _ + = ? . , ; /

For complete installation instructions, see Installing the Diagnostics Agent for Java.

Workaround for Windows 2003 application servers

Warning

The following workaround enables the Application Diagnostics Agent for .NET to monitor application servers, but the servers are open to the POODLE vulnerability.

Follow the instructions To apply the patch to the Application Diagnostic Server components. For the portal.properties and collector.properties, add the item "SSL_RSA_WITH_RC4_128_SHA" to the beginning of the tomcat.ciphers property:

# A comma separated list of encryption ciphers to support for HTTPS connections. Spaces between list items are not allowed.
tomcat.ciphers=SSL_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA

If a problem occurs

If you encountered problems during the installation of the patch or if you could not access the internet to run the installation, contact BMC Customer Support. 

Related topics

Release notes and notices

Known and corrected issues