Established Member.. Iliev
Established Member..
1174 views

ALERT: RC4 cipher “Bar Mitzvah” vulnerability & Impact on PPM

ALERT: RC4 cipher “Bar Mitzvah” vulnerability & Impact on PPM

 

This vulnerability is not specific to a particular HP or non-HP product. 

Instead it is a vulnerability of a specific encryption algorithm/cipher known as RC4 which may be used in SSL/TLS communications between various HP product end-points.

HP has investigated the CVE-2015-2808 in relation to HP Project and Portfolio Management Center (PPM)

 

For detailed information about this vulnerability and how to mitigate it for HP Project and Portfolio Management Center (PPM) has been publish on below link…

 

https://softwaresupport.hp.com/group/softwaresuppo​rt/search-result/-/facetsearch/document/KM01598335

0 Likes
2 Replies
Absent Member.. Scott A Wood Absent Member..
Absent Member..

Re: ALERT: RC4 cipher “Bar Mitzvah” vulnerability & Impact on PPM

RC4 is fairly out of date.  I wonder if it is possible to remove it from the apache list of available cipher suites available.  I know FireFox is moving towards disallowing RC4 (with some exceptions) in the near future, so will hopefully have some protection on the browser end soon also.

0 Likes
Established Member.. prgnfalcon
Established Member..

Re: ALERT: RC4 cipher “Bar Mitzvah” vulnerability & Impact on PPM

Assuming you are referring to Apache HTTP server...the KB article posted in the OP has the following advice:

 

HP Project and Portfolio Management Center Server and External Web Servers 

If you are using an external (third-party) Web server with PPM in order to encrypt PPM communications with HTTPS (TLS/SSL), you must consult with the third-party vendor for information on how to resolve this vulnerability.

...

https://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite

 

Hope that helps.

Regards...

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.