Search Engine: Elastic

Article ID: 131934, created on Dec 19, 2017, last review on Dec 19, 2017

  • Applies to:
  • Operations Automation
  • Business Automation

Symptoms

It was found that it is possible to connect to XML RPC OpenAPI on OA or BA application using the outdated security protocols TLS v1.1 and SSL v3.

Cause

A custom IQXMLRPC library is used to establish a connection to XMLRPCD for both OA and BA servers. A Feature Request PFR-1247 was submitted to the developers to replace this library with a standard one that supports more recent protocols.

Resolution

Mitigation is not required. TLS v1.1 does not contain any known protocol-wide vulnerabilities. SSL v3 is known to be insecure because of POODLE attack. This type of attack is relevant to a scenario where the attacker can run JavaScript in victim's browser and perform sniffing of encrypted traffic. These two requirements should be met, POODLE is an active attack (not passive one by only observing traffic on the wire). Through POODLE attack, the attacker can decrypt the part of SSL-protected traffic.

As XML RPC has no browser components, an attacker does not have the possibility to influence client's traffic. Therefore the PUDDLE attack cannot be applied for XML RPC case.

198398b282069eaf2d94a6af87dcb3ff caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 5356b422f65bdad1c3e9edca5d74a1ae

Email subscription for changes to this article
Save as PDF