49184: POODLE Vulnerability Status for Acronis Access Advanced, MassTransit and Acronis Access Connect

This article applies to:

  • Acronis Mobility products: Acronis Access, Acronis MassTransit and Acronis Access Connect
  • POODLE SSL 3.0 Vulnerability (CVE-2014-3566), which affects all implementations of SSL 3.0. 

Acronis MassTransit

There are two components in a typical installation: the MT Server and the IIS web server.

MT Server
MT Server is not vulnerable to POODLE as long as the TCP/IP Secure incoming call configuration has the "Legacy SSLv2/3" support checkbox OFF (when it is OFF, we only use TLSv1):

MT Web
For MT Web, you need to modify the IIS configuration to reject SSLv3 connections as described in this Microsoft Technet article:

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server
    Note: If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK.
    Note: If this value is present, double-click the value to edit its current value.
  6. Type 00000000 in Binary Editor to set the value of the new key equal to "0".
  7. Click OK. Restart the computer.

Note: This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.
Note: After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.

  

Acronis Access

There are two components that need mitigation: the Access Tomcat and the Access Gateway.

Access Tomcat
The Access Tomcat server uses the Apache Portable Runtime (APR) for handling SSL connections.  APR is built using OpenSSL. Until a new version of APR is available that has the fix in OpenSSL integrated, the solution is to disable support for SSLv3 in the Tomcat file server.xml configuration file and restart the Access Tomcat service.

The specific change is to add SSLProtocol="TLSv1" to the Connector section of the XML file. Below is an example of where the change can be plugged in. Do not replace the whole block of text -- there are other settings that are specific to your server:

  <Connector maxHttpHeaderSize="65536"
maxThreads="150"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
SSLEnabled="true"
      SSLProtocol="TLSv1"
SSLCertificateFile="***Access certificate file***"
SSLCertificateKeyFile="***Access key file***"
SSLCertificateChainFile="***Access chain file***" port="443" 

address="XXX.XXX.XXX.XXX"
connectionTimeout="-1"
URIEncoding="UTF-8"
/>

Access Gateway
The Access Gateway uses the built-in Windows HTTPS server. Until Microsoft issues a security patch with a fix, the solution is to disable SSLv3 support in the Windows operating system as described by Microsoft in this Microsoft Technet article (see: Disable SSL 3.0 in Windows).

 

On Windows Server 2008 R2 machines, you will also have to do the following:

  1. Open the registry editor and find: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
  2. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
  3. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
  4. Enter Enabled as the name and hit Enter. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.

 

Acronis Access Connect

Is not vulnerable since it does not use HTTPS.

Please note that we cannot individually respond to all comments. We do read, analyze and work to improve our content, products and services based off the feedback we receive. Should you need technical or customer service assistance please visit our Support Portal
Please note that we cannot individually respond to all comments. We do read, analyze and work to improve our content, products and services based off the feedback we receive. Should you need technical or customer service assistance please visit our Support Portal
3 + 13 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
You are reporting a typo in the following text:
Simply click the "Send typo report" button to complete the report. You can also include a comment.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
2 + 9 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.