How to unofficially disable SSL v3 in Oracle Enterprise Manager 12c to mitigate POODLE attack

With the recent POODLE vulnerability, server operators must now (finally) disable SSL version 3.0 and move up to TLS 1.0 at the minimum, if not TLS 1.2.

UPDATE: Many thanks to Courtney Llamas who provided me with a link to the section of the documentation that describes the right way to do this.  If you want to disable SSLv3 in EM12c, follow the instructions in section 2.3.2.4 of chapter 2 of the Oracle Enterprise Manager Cloud Control Security Guide.  You will need to re-secure your OMS during the process and this will require that you have access to the SYSMAN password and an agent registration password. I can confirm that the steps in this document work and do disable SSLv3. Make sure you follow the steps in the document to secure the management agents, too.

[EDIT: 20150312: Please note that you MUST install the 12.1.0.4.6 Agent bundle patch 20423395 to allow the agent-side “allowTLSOnly” property to function correctly. If you do not install this patch on your 12.1.0.4 agent, the agent will continue to permit SSLv3 connections.]

What follows demonstrates what happens when someone with a little too much information doesn’t read through the documentation.  Don’t do what I did.  Do it the right way, as described above.

I do not wish to wait for Oracle to provide a procedure to disable SSL version 3.0 in Oracle Enterprise Manager 12c, so I have come up with this process.  This will apply to Oracle Enterprise Manager 12c, PS3, PSU1 (aka 12.1.0.4.1, aka EM12c R4).  This process may work on older versions.

IMPORTANT DISCLAIMER: Oracle Support has not blessed this process and should provide an official method of fixing this issue soon.  You take all responsibility for any issues you encounter by following these instructions.  Of course, you also take the responsibility for operating your EM12c system in a way by which your encrypted connections can be trivially hacked, so make a decision appropriate to your environment.  I recommend you do NOT follow these steps and instead raise a priority Sev-1 service request with Oracle demanding an immediate, supported fix, but for those in a situation requiring an immediate response, I offer this post.

Do I have SSL v3 enabled now?

If you have not made a specific effort to disable it or applied a future patchset in which Oracle disables the functionality, you have SSL v3 enabled.

How do I test for SSL v3 in EM12c?

How can you test and how can you validate that you have disabled it once complete?  I advise that you open up a copy of the Firefox browser, and go to the about:config page.  In about:config, search for “security.tls.version”.  You can (as of the date I wrote this post) force Firefox to use only SSLv3 by setting both security.tls.version.min and security.tls.version.max to the value 0.  The image below shows a secure setting of 1, and 3 (for TLS 1.0 and TLS 1.2 respectively).

Firefox about:config setting screenDouble-click on each of the top two lines and change the setting to 0.  The screen should now look like the image below.

Forcing Firefox to use SSLv3Make sure you change this setting back once you have finished testing or you have created a huge security risk for this browser.  See my previous post on Firefox security for more information.

Now that you have forced Firefox to use only SSLv3, navigate to your Oracle Enterprise Manager login screen.  If the page loads and you see a login prompt like below, your EM12c installation allows insecure SSLv3 connections.

Login ScreenAfter disabling SSLv3 you should return to this section, repeat these steps, and make sure that you get an error page instead of the login screen.

Disabling SSLv3 in EM12c Oracle HTTP Server

As an aside, MOS note 1935500.1 appears to provide the master note for details about mitigating the POODLE attack in Oracle products.  In this instance, we specifically care about disabling SSLv3 in the Oracle HTTP Server (OHS) used by Oracle Enterprise Manager, and the documentation to make this change is available to the public in the Oracle HTTP Server documentation.

Specifically, you need to modify the SSLProtocol declaration in four different configuration files:

$EM_INSTANCE_BASE/WebTierIH1/config/OHS/ohs1/httpd_em.conf
$EM_INSTANCE_BASE/WebTierIH1/config/OHS/ohs1/ssl.conf
$MW_HOME/Oracle_WT/ohs/conf/ssl.conf
$OMS_HOME/sysman/config/httpd_em.conf.template

In the first three files, find the line that looks like:

 SSLProtocol all -SSLv2

Change this line to:

SSLProtocol all -SSLv2 -SSLv3

In the last file, find the line that looks like:

SSLProtocol &PROTOCOL%

Change this line to:

SSLProtocol all -SSLv2 -SSLv3

Then bounce your entire EM12c stack and return to the test procedure at the top of this post, force Firefox to SSLv3, connect to Oracle Enterprise Manager.  You should now see an error like the following:

Error screen with SSLv3 disabled

Success!  Now revert those Firefox security.tls.version.min and security.tls.version.max settings back to 1 and 3 respectively, and return to EM12c and you should see the login page again.

Congratulations, you’ve just turned off SSLv3 in EM12c.  Please save these steps so that you can revert them back to the out-of-the-box behavior if requested to do so by Oracle or when they provide an official fix.  I hope to update this post in the future with similar instructions for the Weblogic admin console but I really hope Oracle Support beats me to it.

 

Advertisements

2 thoughts on “How to unofficially disable SSL v3 in Oracle Enterprise Manager 12c to mitigate POODLE attack

  1. Pingback: EM12c R4 SSL Security Checkup Script | Pardy DBA

  2. Pingback: Securing Oracle Enterprise Manager 13c | Pardy DBA

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s