Problem
Symantec Data Loss Prevention uses the SSL/TLS protocol to secure netwok communications. SSL/TLS channels are used between the client browser and the Enforce Server, the Enforce Server and detection servers, as well as between the Endpoint Server and DLP Agents. The SSL/TLS channel between the client browser and the Enforce Server administration console may use SSL 3.0.
SSL 3.0 uses nondeterministic CBC padding in certain ciphers, which makes it easier for man-in-the-middle attackers to obtain clear-text data via a padding-oracle attack (dubbed POODLE – Padding Oracle On Downgraded Legacy Encryption).
Solution
|
SSL/TLS Channel |
Protocol |
Impact |
Comments |
| Web browser <–> Enforce Server administration console | SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 | Affected (not vulnerable) |
Action required. Depending on the Data Loss Prevention version, SSL 3.0 support can be disabled in the web browser, or by updating the tomcat configuration. Updating tomcat’s configuration is the recommended and long-term approach, as this will ensure SSL 3.0 is never negotiated with the browser. Data Loss Prevention 11.6.x and 12.x To disable SSL 3.0 support via the tomcat server configuration files:
To disable SSL 3.0 support in the web browser, follow the steps outlined below for Data Loss Prevention version 11.5.x and earlier. Data Loss Prevention 11.5.x and earlier SSL 3.0 support must be disabled in the web browser. In Firefox:
In Internet Explorer:
|
| Enforce Server <–> detection servers | TLS 1.0, TLS 1.1, TLS 1.2 | Not Affected |
No action required. Enforce and Detection servers use TLS protocol by default for communication. |
| Endpoint Server <–> DLP Agents | TLS 1.0, TLS 1.1, TLS 1.2 | Not Affected |
No action required. Endpoint Server and DLP Agents use TLS by default for communication. |
References
https://support.symantec.com/en_US/article.TECH225739.html