SSLv3 "Poodle" Security Vulnerability (CVE-2014-3566)

As you have most likely already heard, news sources, corporations and the OpenSSL team reported 14 October 2014 that version 3 of Secure Sockets Layer (SSLv3) is insecure. This vulnerability makes it possible for hackers to hijack a victim’s browsing session.

Underlying Configuration

iRise Accelerator Products use Tomcat and either a bundled or stand alone version of the Java Virtual Machine (JVM). If your product runs with a stand-alone version of the JVM to address the vulnerability you must upgrade to version 7 of the JVM. Additionally we strongly recommend you run your Accelerator Product using TLS (Transport Layer Security - https). This article details the steps to configure Accelerator Products for use with TLS.

Patching iRise Accelerator Products

iRise recommends that this vulnerability be fixed ASAP. To fix this issue, it is necessary to add a line to the server.xml file in the 'connector' element and then restart the Accelerator Product service. The location of the Tomcat directory in the product directory is slightly different for each product. The best way to ensure you are modifying the correct server.xml file is to examine the service for the application in Services on your server. Right click on the service and choose 'Properties' to see the path for the Tomcat instance the application is using. Here is an example of the location of Tomcat for a default installation of iRise Revision Manager v9.1. The part highlighted in yellow is the path to the Tomcat directory.

Once you have the Tomcat directory drill one level down into the conf directory and edit the server.xml file. In the file locate the active connector the application is using. Add the following line to the file, save the file and restart the service to effect the change.

 sslEnabledProtocols ="TLSv1,TLSv1.1,TLSv1.2"

Additional Information

If you have any additional questions about the patch or would like confirmation that you have successfully patched your software, please do not hesitate to contact iRise Customer Support for assistance.

Did this answer your question?