Serena Deployment Automation 6.1.3 Security Bulletin
This document contains important security information for Serena® Deployment Automation. This document is available only to registered customers who log in to the Serena Support site.

Contents

General Information

Use this security bulletin for configuring Deployment Automation version 6.1.1 or above to mitigate security vulnerabilities.

For details see the following sections:

POODLE and BEAST

Clickjacking

POODLE and BEAST

This section tells how to configure Deployment Automation version 6.1.1 or above to mitigate POODLE and BEAST security vulnerabilities.

Both security vulnerabilities have the potential to affect any SSL-encrypted communications, and thus requests to communicate with Serena Deployment Automation are affected. Poodle vulnerabilities will be mitigated by forbidding SSL3 protocol for both JMS and HTTP connections. BEAST will be mitigated by forbidding TLSv1 protocol for both JMS and HTTP connections. To resolve both vulnerabilities, SSL 3.0 and TLSv1 protocols should be forbidden for all connections. It is recommended to use only TLSv1.2 and TLSv1.1 protocols.

By default, TLSv1.2, TLSv.1.1, and TLSv1 protocols are enabled for servers, agents, and agent relays. Therefore, only POODLE vulnerabilities are mitigated in the default configuration. This is to allow connection from agents and agent relays that use versions of Java that do not support TLSv1.2 and TLSv1.1. It is recommended that you upgrade any existing agents and agent relays to use a version of Java that supports these protocols, and then follow the instructions in this security bulletin to limit SSL-enabled protocols to TLSv1.2 and TLSv1.1 only.

For details, see the following topics:

Securing Server Communication

Use these configuration steps to further secure servers that were installed using a Deployment Automation version 6.1.1 or above installer.

Follow these steps to secure the Deployment Automation server:

  1. Navigate to the Tomcat conf directory. For example: ..\common\tomcat\8.0\conf
  2. Edit the server.xml file.
  3. For each SSL-enabled Connector port, modify the sslEnabledProtocols attribute to include only these protocols:

    sslEnabledProtocols="TLSv1.1,TLSv1.2"

  4. Navigate to the profile directory. For example: ..\.serena\ra\conf\server
  5. Edit the installed.properties file.
  6. Modify the server.ssl.enabled.protocols attribute to include only these protocols:

    server.ssl.enabled.protocols=TLSv1.1,TLSv1.2

Securing Agent Communication

Use these configuration steps to further secure agents that were installed using a Deployment Automation version 6.1.1 or above installer.

To secure an agent:

  1. Navigate to the agent directory. For example: ..\serena\Deployment Automation Agent\core\conf\agent
  2. Edit the installed.properties file.
  3. Modify the locked/agent.ssl.enabled.protocols attribute to include only these protocols:

    locked/agent.ssl.enabled.protocols=TLSv1.1,TLSv1.2

Securing Agent Relay Communication

Use these configuration steps to further secure agent relays that were installed using a Deployment Automation version 6.1.1 or above installer.

To secure an agent relay:

  1. Navigate to the agent relay conf directory: ..\Serena\agentrelay\conf
  2. Edit the agentrelay.properties file.
  3. Modify the agentrelay.ssl.enabled.protocol parameter to include only these protocols:

    agentrelay.ssl.enabled.protocols=TLSv1.2,TLSv1.1

Securing Upgrades of Agents

You can upgrade agents from the Deployment Automation user interface. By default, the UI upgrade configures the agents to allow connection through TLSv1.2,TLSv1.1, and TLSv1 protocols. Use the following procedure to configure the UI upgrade so that it configures the agents to connect only through the TLSv1.2 and TLSv1.1 protocols.

To make agents upgraded through the user interface more secure:

  1. Navigate to the Tomcat webapps\serena_ra\WEB-INF directory. For example:

    ..\common\tomcat\8.0\webapps\serena_ra\WEB-INF

  2. Backup the air-agentupgrade.jar file.
  3. Stop the server.
  4. Rename the air-agentupgrade.jar file to air-agentupgrade.zip.
  5. Within air-agentupgrade.zip, go to agent-upgrade\install\AgentInstaller.groovy file.
  6. Find the following string:

    if (sslEnabledProtocols == null) {

    sslEnabledProtocols = "TLSv1.2,TLSv1.1,TLSv1"

    }

    and replace the entire string with just the following line:

    sslEnabledProtocols = "TLSv1.2,TLSv1.1"

    Note: The only way to mitigate both BEAST and Poodle is to unconditionally limit the protocols.
  7. Save your changes.
  8. Rename air-agentupgrade.zip back to air-agentupgrade.jar.
  9. Start the server.
  10. Upgrade the agents from the Deployment Automation user interface.

Clickjacking

Deployment Automation 6.1.2 and prior versions have a medium risk vulnerability to Clickjacking.

Clickjacking is a technique used to trick users into clicking a button or link that then routes them to another page. Similarly, users can be tricked into entering keystrokes that are then captured by the offending software.

For details on Clickjacking, see the following:

https://www.owasp.org/index.php/Clickjacking

This vulnerability has been fixed in Deployment Automation 6.1.3. Therefore, once you upgrade to Deployment Automation 6.1.3 or higher, this will no longer be an issue. If you need to apply this fix to an earlier version of Deployment Automation, please contact Support.