in System Administration

SAP BusinessObjects and Poodlebleed

Following the infamous Heartbleed bug earlier this year comes another security issue with SSL known as Poodlebleed. Unfortunately, this one can affect out of the box BusinessObjects installs, particularly¬†if you’re using Tomcat configured with an SSL connector.

From the Poodlebleed link above:

Poodlebleed is a vulnerability in the design of SSL version 3.0. Poodle is actually an acronym for Padding Oracle On Downgraded Legacy Encryption. The vulnerability allows the decryption to plaintext of secure connections.

Newer releases of Tomcat, like Tomcat 7.0 which is included in the SAP BusinessObjects 4.x series, use the TLS encryption protocol by default. However, Tomcat also supports the much older SSLv3 as a fallback option for older browsers, and that’s where the problem lies. The short explanation of how this affects BusinessObjects is that a potential attacker could force this fallback to SSLv3 and then exploit the Poodlebleed bug to decrypt your otherwise secure connection.

So, how do we fix this problem? Thankfully, we can disable just SSLv3 in our Tomcat server configuration. This means that clients with much older browsers may not be able to connect to your BusinessObjects web applications, but newer browsers will be protected from the Poodlebleed vulnerability.

To fix this issue, open your Tomcat server.xml and locate the SSL Connector section. Usually this connector uses port 443 or 8443, so use that to help you identify the correct line. It will look something like this:

<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” />

Per the Tomcat 7.0 documentation, we can use the sslEnabledProtocols parameter to disable SSLv3. We just need to add this parameter along with the protocols we would like to use — in this case only the various versions of the TLS protocol. See the parameter in bold below.

<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
sslEnabledProtocols=”TLSv1, TLSv1.1, TLSv1.2″ />

Save the server.xml, restart Tomcat, then use the Poodlebleed site above to test your site. Note that if you’re on an older version of BusinessObjects or Tomcat, the configuration changes are slightly different. Consult the Tomcat documentation online or call your friendly Altek Solutions consultant!

For more information, check out the SAP Support note below:

2083444 – Impact of the POODLE vulnerability on SAP BusinessObjects software


Free Web Intelligence Best Practices Guide

We put together a Best Practices Guide for Web Intelligence Development that includes over 20 pages of tips and techniques for developing business-ready reports. Plus we'll show you the common functions that have a negative impact on performance, how to create interactive reports, the best ways to standardize look-and-feel, and much more!


Powered by ConvertKit

Write a Comment