Use this security bulletin for configuring Deployment Automation version 6.1.1 or above to mitigate security vulnerabilities.
For details see the following sections:
This section tells how to configure Deployment Automation version 6.1.1 or above to mitigate POODLE and BEAST security vulnerabilities.
Both security vulnerabilities have the potential to affect any SSL-encrypted communications, and thus requests to communicate with Serena Deployment Automation are affected. Poodle vulnerabilities will be mitigated by forbidding SSL3 protocol for both JMS and HTTP connections. BEAST will be mitigated by forbidding TLSv1 protocol for both JMS and HTTP connections. To resolve both vulnerabilities, SSL 3.0 and TLSv1 protocols should be forbidden for all connections. It is recommended to use only TLSv1.2 and TLSv1.1 protocols.
By default, TLSv1.2, TLSv.1.1, and TLSv1 protocols are enabled for servers, agents, and agent relays. Therefore, only POODLE vulnerabilities are mitigated in the default configuration. This is to allow connection from agents and agent relays that use versions of Java that do not support TLSv1.2 and TLSv1.1. It is recommended that you upgrade any existing agents and agent relays to use a version of Java that supports these protocols, and then follow the instructions in this security bulletin to limit SSL-enabled protocols to TLSv1.2 and TLSv1.1 only.
For details, see the following topics:
Use these configuration steps to further secure servers that were installed using a Deployment Automation version 6.1.1 or above installer.
Follow these steps to secure the Deployment Automation server:
sslEnabledProtocols="TLSv1.1,TLSv1.2"
server.ssl.enabled.protocols=TLSv1.1,TLSv1.2
Use these configuration steps to further secure agents that were installed using a Deployment Automation version 6.1.1 or above installer.
To secure an agent:
locked/agent.ssl.enabled.protocols=TLSv1.1,TLSv1.2
Use these configuration steps to further secure agent relays that were installed using a Deployment Automation version 6.1.1 or above installer.
To secure an agent relay:
agentrelay.ssl.enabled.protocols=TLSv1.2,TLSv1.1
You can upgrade agents from the Deployment Automation user interface. By default, the UI upgrade configures the agents to allow connection through TLSv1.2,TLSv1.1, and TLSv1 protocols. Use the following procedure to configure the UI upgrade so that it configures the agents to connect only through the TLSv1.2 and TLSv1.1 protocols.
To make agents upgraded through the user interface more secure:
..\common\tomcat\8.0\webapps\serena_ra\WEB-INF
if (sslEnabledProtocols == null) {
sslEnabledProtocols = "TLSv1.2,TLSv1.1,TLSv1"
}
and replace the entire string with just the following line:
sslEnabledProtocols = "TLSv1.2,TLSv1.1"
Deployment Automation 6.1.2 and prior versions have a medium risk vulnerability to Clickjacking.
Clickjacking is a technique used to trick users into clicking a button or link that then routes them to another page. Similarly, users can be tricked into entering keystrokes that are then captured by the offending software.
For details on Clickjacking, see the following:
This vulnerability has been fixed in Deployment Automation 6.1.3. Therefore, once you upgrade to Deployment Automation 6.1.3 or higher, this will no longer be an issue. If you need to apply this fix to an earlier version of Deployment Automation, please contact Support.Copyright © 2016 Serena Software, Inc. All rights reserved.