This patch repairs the POODLE (Padding Oracle On Downgraded Legacy Encryption) security vulnerabilities for communication between Application Diagnostics Agents for Java and Application Diagnostics Server components.
After installing the patch, you can no longer use SSL 3.0, and specifically the RC4 protocol.
Warning
After you upgrade the Application Diagnostics Server, the Agent for .NET can no longer monitor application servers running on Windows 2003.
A workaround enables monitoring of Windows 2003 application servers, but the workaround does not remove the POODLE security vulnerability.
This notification contains the following topics:
See Downloading the installation files for BMC Application Diagnostics and select the Patches tab.
File name | Descriptions |
---|---|
readme.txt | Patch description and installation instructions |
adops-agent-upgrade.bat | Patch upgrade script for the Agent for Java on Windows |
adops-agent-upgrade.sh | Patch upgrade script for the Agent for Java on Linux |
adops-agent-install.bat | Installation script for version 2.6.10.15 of Agent for Java on Windows |
adops-agent-install.sh | Installation script for version 2.6.10.15 of Agent for Java on Linux |
agentInstaller.jar | Upgraded JAR file, used by the Agent for Java |
common-server.jar | Upgraded JAR file to replace the file for each Application Diagnostics Server component |
portal.jar | Upgraded JAR file to replace the file in the Application Diagnostics Portal |
To apply the patch, first patch the Application Diagnostic Server components, then upgrade each Agent for Java, as instructed in the following sections.
Replace the required file on the Application Diagnostics Portal, Collector, and Proxy servers, and modify the property files as instructed.
If the Portal, Collector, and APM Proxy are installed on the same computer, replace the file once, otherwise, replace it for each installation.
The following file paths show the default installation directory:
(Windows) C:\Program Files\BMC Software\BMC Application Diagnostics\common\lib
(Linux) /opt/bmc/BMC_Application_Diagnostics/common/lib
In the Portal installation directory, under portal/lib directory, replace the portal.jar with the file in this patch.
The following file paths show the default installation directory:
(Windows) C:\Program Files\BMC Software\BMC Application Diagnostics\portal\lib
(Linux) /opt/bmc/BMC_Application_Diagnostics/portal/lib
Open the properties file for each component in a text editor:
Portal: installationDirectory\portal\properties\portal.properties
Collector: installationDirectory\collector\properties\collector.properties
APM Proxy: installationDirectory\apm-proxy\properties\apm-proxy.properties
For each component properties file, add the following lines for the tomcat.ciphers
and the tomcat.ssl.enabled.protocols
properties:
# A comma separated list of encryption ciphers to support for HTTPS connections. Spaces between list items are not allowed. tomcat.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA #The comma separated list of SSL protocols to support for HTTPS connections. Spaces between list items are not allowed. #Default Value: TLSv1,TLSv1.1,TLSv1.2 tomcat.ssl.enabled.protocols=SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2
On each computer with an Agent for Java, run the included adops-agent-upgrade file that is appropriate for your environment. Use the -skipVer option to upgrade the Agent, regardless of version:
adops-agent-upgrade.bat -s -d installationDirectory -skipVer
./adops-agent-upgrade.sh -s -d installationDirectory
-skipVer
Replace installationDirectory
with the full path to the existing Application Diagnostics Agent installation directory, which must include the ADOPsInstall directory. For example: c:\BMC Software\ADOPs\ADOPsInstall
For complete upgrade instructions, see Upgrading the Diagnostics Agent for Java.
You can install an Agent for Java on an application server where an agent is not installed. The following silent installation command uses the default values for Agent installation:
adops-agent-install.bat -s -a application_display_name
./adops-agent-install.sh -s -a application_display_name
Replace application_display_name
with the display name of the application that the Agent monitors. The value is required and can include up to 255 alphanumeric Latin characters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) - _ + = ? . , ; /
For complete installation instructions, see Installing the Diagnostics Agent for Java.
Warning
The following workaround enables the Application Diagnostics Agent for .NET to monitor application servers, but the servers are open to the POODLE vulnerability.
Follow the instructions To apply the patch to the Application Diagnostic Server components. For the portal.properties and collector.properties, add the item "SSL_RSA_WITH_RC4_128_SHA" to the beginning of the tomcat.ciphers
property:
# A comma separated list of encryption ciphers to support for HTTPS connections. Spaces between list items are not allowed. tomcat.ciphers=SSL_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
If you encountered problems during the installation of the patch or if you could not access the internet to run the installation, contact BMC Customer Support.