Patch available for SSL 3.0 POODLE security vulnerability for Application Diagnostics
This patch repairs the POODLE (Padding Oracle On Downgraded Legacy Encryption) security vulnerabilities for communication between Application Diagnostics Agents for Java and Application Diagnostics Server components.
After installing the patch, you can no longer use SSL 3.0, and specifically the RC4 protocol.
This notification contains the following topics:
Downloading the patch
See Downloading-the-installation-files-for-BMC-Application-Diagnostics and select the Patches tab.
Patch contents
File name | Descriptions |
---|---|
readme.txt | Patch description and installation instructions |
adops-agent-upgrade.bat | Patch upgrade script for the Agent for Java on Windows |
adops-agent-upgrade.sh | Patch upgrade script for the Agent for Java on Linux |
adops-agent-install.bat | Installation script for version 2.6.10.15 of Agent for Java on Windows |
adops-agent-install.sh | Installation script for version 2.6.10.15 of Agent for Java on Linux |
agentInstaller.jar | Upgraded JAR file, used by the Agent for Java |
common-server.jar | Upgraded JAR file to replace the file for each Application Diagnostics Server component |
portal.jar | Upgraded JAR file to replace the file in the Application Diagnostics Portal |
Applying the Patch
To apply the patch, first patch the Application Diagnostic Server components, then upgrade each Agent for Java, as instructed in the following sections.
To apply the patch to the Application Diagnostic Server components
Replace the required file on the Application Diagnostics Portal, Collector, and Proxy servers, and modify the property files as instructed.
If the Portal, Collector, and APM Proxy are installed on the same computer, replace the file once, otherwise, replace it for each installation.
- Stop the service or services.
- In the server installation directory, under the common/lib directory, replace common-server.jar with the file in this patch.
The following file paths show the default installation directory:- (Windows) C:\Program Files\BMC Software\BMC Application Diagnostics\common\lib
- (Linux) /opt/bmc/BMC_Application_Diagnostics/common/lib
In the Portal installation directory, under portal/lib directory, replace the portal.jar with the file in this patch.
The following file paths show the default installation directory:
(Windows) C:\Program Files\BMC Software\BMC Application Diagnostics\portal\lib
(Linux) /opt/bmc/BMC_Application_Diagnostics/portal/lib
- Open the properties file for each component in a text editor:
- Portal: installationDirectory\portal\properties\portal.properties
- Collector: installationDirectory\collector\properties\collector.properties
- APM Proxy: installationDirectory\apm-proxy\properties\apm-proxy.properties
For each component properties file, add the following lines for the tomcat.ciphers and the tomcat.ssl.enabled.protocols properties:
# A comma separated list of encryption ciphers to support for HTTPS connections. Spaces between list items are not allowed.
tomcat.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
#The comma separated list of SSL protocols to support for HTTPS connections. Spaces between list items are not allowed.
#Default Value: TLSv1,TLSv1.1,TLSv1.2
tomcat.ssl.enabled.protocols=SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2- Restart the service or services.
To apply the patch to the Agent for Java
On each computer with an Agent for Java, run the included adops-agent-upgrade file that is appropriate for your environment. Use the -skipVer option to upgrade the Agent, regardless of version:
- Windows
adops-agent-upgrade.bat -s -d installationDirectory -skipVer - Linux
./adops-agent-upgrade.sh -s -d installationDirectory -skipVer
Replace installationDirectory with the full path to the existing Application Diagnostics Agent installation directory, which must include the ADOPsInstall directory. For example: c:\BMC Software\ADOPs\ADOPsInstall
For complete upgrade instructions, see Upgrading-the-Diagnostics-Agent-for-Java.
To install a new Agent for Java
You can install an Agent for Java on an application server where an agent is not installed. The following silent installation command uses the default values for Agent installation:
- Windows
adops-agent-install.bat -s -a application_display_name - Linux
./adops-agent-install.sh -s -a application_display_name
Replace application_display_name with the display name of the application that the Agent monitors. The value is required and can include up to 255 alphanumeric Latin characters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) - _ + = ? . , ; /
For complete installation instructions, see Installing-the-Diagnostics-Agent-for-Java.
Workaround for Windows 2003 application servers
Follow the instructions To apply the patch to the Application Diagnostic Server components. For the portal.properties and collector.properties, add the item "SSL_RSA_WITH_RC4_128_SHA" to the beginning of the tomcat.ciphers property:
tomcat.ciphers=SSL_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
If a problem occurs
If you encountered problems during the installation of the patch or if you could not access the internet to run the installation, contact BMC Customer Support.
Related topics