Premises Web Server Security Vulnerabilities

The 5.x (Premises) version of the xMatters web server may be subject to the following identified security vulnerabilities:

  • CVE-2013-2566, CVE-2015-2808: SSL/TLS use of weak RC4 cipher port 8443/tcp over SSL
  • CVE-2014-3566: SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE) port 8443/tcp over SSL
  • CVE-2011-3389: SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST) port 8443/tcp over SSL

Resolution

Eliminating these vulnerabilities depends on your deployment:

  • The xMatter 5.1 patch 011 and Integration Agent 5.1.8 releases include the recommended changes and updates to Jetty that are described in this article.
  • New installations of 5.1 patch 011 using the 5.1.8 version of the Integration Agent that have completed the SSL configuration described in the xMatters installation and administration guide need to complete only the "Disallow CBC algorithms" section below.
  • Deployments that have been upgraded to 5.1. patch 011 and are using the Integration Agent 5.1.8 should review the "Configure Jetty" and "Disallow CBC algorithms" sections below for instructions.
  • Deployments using any xMatters 5.1 patch prior to patch 011 should review and follow all instructions below.
All customers are recommended to use a proxy server in front of the xMatters web container. For more information about configuring a proxy server with the required facilities, such as Apache and IIS, refer to the xMatters installation and administration guide.

Recommendations

The following recommendations are suggested for any customers wanting to eliminate these issues on versions of xMatters 5.1 patch 010 and prior.

Configure Jetty to use TLS version 1.2 or 1.1

You can reconfigure Jetty to force the SSL sockets to support only TLSv1.1 and TLSv1.2.

NOTE: If you are configuring a deployment running 5.1 patch 010 (or earlier), install the 5.1 patch 011 update first OR do the following: 

  1. Stop the xMatters webserver.,
  2. Navigate to <xMHOME>/webserver/lib/ext. Move the com.xmatters.jetty.handler.jar file to a backup location, and make a backup copy of the jetty-ssl.xml file.
  3. Download the jetty-redirector.jar file attached to this article and copy it into the <xMHOME>/webserver/lib/ext folder.

To configure Jetty:

  1. Open the <xMHOME>/webserver/lib/ext/jetty-ssl.xml file in a text editor, and then locate the following line:
  2. <New class="org.mortbay.jetty.security.SslSocketConnector">
  3. Change it to the following:
    <New class="com.xmatters.jetty.security.SecureSslSocketConnector">
  4. Save and close the file.
  5. Restart the xMatters web server.

NOTE: Upgrading your web server (i.e., applying an xMatters patch) may overwrite configuration changes. Newer patches may also require different steps to configure Jetty. See the "Applying product patches" section below for more information.

Disallow CBC algorithms

Disallowing CBC algorithms will remediate issues with the BEAST vulnerability. This step is required on all 

To disallow CBC algorithms:

  1. Navigate to <xMHOME>\jre\lib\security and open the java.security file in a text editor.
  2. Locate the following line:
    # jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
  3. Change it to the following:
    # jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048
    jdk.tls.disabledAlgorithms=CBC
  4. Save and close the file.
  5. Restart the xMatters web server.

Integration Agent

The Integration Agent supports secure connections to the web server over TLSv1 only. This is the only protocol enabled by the JRE 1.7 that is shipped with the Integration Agent. To allow the Integration Agent to communicate with the web server, you must allow TLSv1 connections on the web server, or deploy the work-around attached to this article.

To configure the Integration Agent (version 5.1.7 only):

  1. Stop the Integration Agent.
  2. Navigate to the <IAHOME>/lib folder and make a back up copy of the com.alarmpoint.apex.integrationagent.jar file in a separate directory
  3. Download the com.alarmpoint.apex.integrationagent.jar file attached to this article and copy it into <IAHOME>/lib.
  4. Restart the Integration Agent.

NOTE: The 5.1.8 release of the Integration Agent includes an updated JRE (1.89) that is not subject to this issue. 

 

Further information

Applying product patches

When applying an xMatters patch, any changes made to configuration file parameters may not be retained after install. Each patch may overwrite modifications to some or all of the following files.

node\assets\resources\spring\integration*.xml
webserver\webapps\cocoon\WEB-INF\classes\resources\spring\integration*.xml
webserver\webapps\axis2\WEB-INF\classes\resources\spring\integration*.xml
webserver\webapps\mobilegateway\WEB-INF\classes\resources\spring\integration*.xml
node.sh
webserver.sh
node-start.conf
webserver-start.conf
c3p0.properties
c3p0-config.xml

Backup your configuration files before applying the patch; any changes you have made prior to the patch will need to be reapplied. For more information, consult the release notes for the patch you are applying, or refer to the xMatters installation and administration guide.

Additional Jetty configuration information 

How to secure the xMatters web server for OnPremise installations

 

 

xMatters internal reference: DTN-5547, SUP-13893

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk