Security Information from Scala regarding “Poodlebleed”

Recently another potentially significant Internet vulnerability, nicknamed “Poodlebleed” was disclosed. Given a web client and web server that are connecting using HTTPS (which is normally considered secure), an attacker who can position themselves in between the client and server can downgrade the security protocol to an older protocol known as “SSL 3.0”. The attacker can then exploit a weakness in SSL 3.0 to break the encryption and read the information that should have been secured. This issue is identified by the CVE number CVE-2014-3566.

This specific vulnerability can be prevented by disabling the SSL 3.0 protocol on any web servers in use. Scala is preparing the Release 10.4.3 updater for Content Manager Enterprise, and the Release 6.2.12 updater for Content Manager, that disable the use of the SSL 3.0 protocol. In the interim, administrators can use the manual steps outlined below to disable SSL 3.0. If your Content Manager Enterprise server is running an earlier release, we encourage you to move to the forthcoming 10.4.3, or apply the manual steps below. If your players connect via HTTPS to any other web servers, please ensure those servers also are configured to disallow SSL 3.0.

Important note for users of the IAdea media players:

We are still evaluating the impact of disabling SSL 3.0 when IAdea media players are connected via HTTPS. We will provide an update when we know more.

Important note for users of the Samsung Smart Signage Platform “C” Series:

The “C” Series of the Samsung Smart Signage Platform relies upon SSL 3.0 when connecting via HTTPS. Samsung is working on a firmware update that will allow these screens to continue to work over HTTPS against a server that has been updated to prevent “Poodlebleed”. You will need to update the firmware on such screens before applying the above-mentioned updaters or the below instructions. (Samsung Series “D” screens support HTTPS even when SSL 3.0 is disabled.)

Conclusion

Scala is taking steps to verify, and if necessary patch, any affected servers within our own infrastructure.

We hope this information helps you effectively deal with the current exploit.

If you have questions, contact your Scala partner or visit http://scala.com/connect/support/

Peter Cherna, CTO

Manual Steps to Disable the SSL 3.0 Protocol

To disable SSL 3.0, you need to modify the Content Manager database using your database management tools (e.g. pgAdmin III for PostgreSQL, or Microsoft SQL Management Studio for MS SQL). Before proceeding, make a backup of your database.

1. In your database management tool, open the Content Manager database
2. Locate the table named st_http_connector_attribute
3. Scan all the rows of the table, looking for any rows whose sf_name is sslProtocol and whosesf_value is tls
4. For each such row, change sf_name to sslEnabledProtocols and change sf_value toTLSv1,TLSv1.1,TLSv1.2
5. Stop and restart Tomcat
6. Wait five minutes, then stop and restart Tomcat a second time

NB: If you make new connectors from within Content Manager, you will have to update the database for the new connectors, per these instructions.