Project and Portfolio Management Practitioners Forum
cancel

ALERT: RC4 cipher “Bar Mitzvah” vulnerability & Impact on PPM

Highlighted
Iliev
Honored Contributor.

ALERT: RC4 cipher “Bar Mitzvah” vulnerability & Impact on PPM

ALERT: RC4 cipher “Bar Mitzvah” vulnerability & Impact on PPM

 

This vulnerability is not specific to a particular HP or non-HP product. 

Instead it is a vulnerability of a specific encryption algorithm/cipher known as RC4 which may be used in SSL/TLS communications between various HP product end-points.

HP has investigated the CVE-2015-2808 in relation to HP Project and Portfolio Management Center (PPM)

 

For detailed information about this vulnerability and how to mitigate it for HP Project and Portfolio Management Center (PPM) has been publish on below link…

 

https://softwaresupport.hp.com/group/softwaresuppo​rt/search-result/-/facetsearch/document/KM01598335

2 REPLIES
Scott A Wood
Respected Contributor.

Re: ALERT: RC4 cipher “Bar Mitzvah” vulnerability & Impact on PPM

RC4 is fairly out of date.  I wonder if it is possible to remove it from the apache list of available cipher suites available.  I know FireFox is moving towards disallowing RC4 (with some exceptions) in the near future, so will hopefully have some protection on the browser end soon also.

prgnfalcon
Respected Contributor.

Re: ALERT: RC4 cipher “Bar Mitzvah” vulnerability & Impact on PPM

Assuming you are referring to Apache HTTP server...the KB article posted in the OP has the following advice:

 

HP Project and Portfolio Management Center Server and External Web Servers 

If you are using an external (third-party) Web server with PPM in order to encrypt PPM communications with HTTPS (TLS/SSL), you must consult with the third-party vendor for information on how to resolve this vulnerability.

...

https://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite

 

Hope that helps.

Regards...