Doc ID                : ADV236
Version              : 3.0
Status                : Published
Published date : 2/16/2015
Categories  : Security Issue
Foxboro Evo
I/A Series
Last Modified date : 4/3/2015

Customer Advisory
Advisory for McAfee ePO POODLE Vulnerability and Mitigation
April 3, 2015


Schneider Electric is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service.   

Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Schneider-Electric recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.

Potential Security Vulnerability:

It is recognized that the global threat environment is constantly changing and we are committed to helping our customers protect the security of their installations.  We have reviewed the issue described in this Customer Advisory and determined that, if no action is taken, there is potential security vulnerability that could allow an attacker to compromise the integrity, availability, or confidentiality of a product.  We strongly advise customers to take note of the actions recommended, to test such actions or patches on non-production systems as able, prior to deployment into production environments. This approach is recommended in order to minimize risk and exposure to announced vulnerabilities.


In October 2014, three researchers from Google published findings about a vulnerability in SSL 3.0, a cryptographic protocol designed to provide secure communication over the internet. Although SSL 3.0 is nearly 15 years old, it is still used widely, including browsers, VPNs, and email clients. It is used in Tomcat 5.5.x and other products. 

POODLE (Padding Oracle On Downgraded Legacy Encryption) is the attack that exploits this vulnerability (CVE-2014-3566). It allows an attacker to steal information over time by altering communications between the SSL client and the server (also known as a man in the middle attack, or MITM). 

McAfee’s ePO 5.0 and later versions disable SSLv3 by default, so the vulnerability is mitigated in those versions.  However, ePO 4.6.6 versions are vulnerable to this issue. Since they run on Tomcat 5.5.x, this issue can be mitigated by editing the server.xml file as described below. 


This McAFee ePO software may be used in Schneider Electric's secure Foxboro Evo control networks. There are no known exploits of this vulnerability on Foxboro Evo systems at this time.


Prior to making the changes, run the following NMAP script at a command prompt (or use ZenMap) on a separate MESH network connected computer to verify that the ePO server is vulnerable:

NMAP is available at:

The Poodle script is available at

          nmap -sV -v --script ssl-poodle <IP Address>

The <IP Address> is of the EPO server computer.

You should receive the following results for Port 8443:

If the vulnerability exists, edit the server.xml file, as follows:

  1. Navigate to <ePO_installation_directory> typically C:\Program Files\McAfee\ePolicy Orchestrator\server\conf.
  2. Create a backup copy of the server.xml file.
  3. Edit server.xml file using WordPad.
  4. Search for <Connector to find Connector elements (make sure to include the < character at the beginning of the search string).  Perform this step for both Tomcat listening ports 8443 and 8444.
  5. Within each Connector element, modify the sslProtocol and protocols attributes as illustrated in the following example:

    ePO 4.6 example:

    <Connector id="orion.server.https"
     port="8443" maxHttpHeaderSize="8192"
     maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
     enableLookups="false" disableUploadTimeout="true"
     acceptCount="100" scheme="https" secure="true"
     clientAuth="want"  sslProtocol="TLSv1.2"

    NOTE: If the protocols attribute does not exist, add this line immediately following the sslProtocol attribute.
  6. Restart the McAfee ePolicy Orchestrator 4.6.6 Application Server service.  Restarting this service will require a restart of two other McAfee services which will be in a popup, then select 'yes'.

After making these changes, run the following NMAP script again to verify that the ePO server is not vulnerable:

nmap -sV -v --script ssl-poodle <IP Address>

You should receive the following results for port 8443:


If you have any questions regarding this article, please contact your local Service Representative or an Schneider Electric Support Center at:  

GCS Center

America's GCS

Asia Pacific GCS



Foxboro MA USA


Baarn NL



+86 21 37180086 








+86 21 37180196



America's GCS

Asia Pacific GCS




John Petty
Global Customer Support

Distribution to Schneider Electric Customers and Internal Personnel Only
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.

Advisory #: 2015013abi Rev 3

©Schneider Electric. All rights reserved