Skip to Content.
Sympa Menu

perfsonar-announce - POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

Subject: perfSONAR Announcements

List archive

POODLE: SSLv3.0 vulnerability (CVE-2014-3566)


Chronological Thread 
  • From: Jason Zurawski <>
  • To: perfsonar-user <>, perfsonar-announce <>
  • Cc: "" <>
  • Subject: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
  • Date: Wed, 15 Oct 2014 08:01:17 -0700

Greetings;

This morning a new vulnerability in the SSLv3 libraries was disclosed. The
colloquial name is 'POODLE', keeping up this year's tradition of catchy ways
to make you feel better about how you will spend part of your day patching
devices. A write up is available here:

https://access.redhat.com/articles/1232123

And the full CVE from Redhat is here:

https://access.redhat.com/security/cve/CVE-2014-3566

The best way to summarize the risk is that someone attempting a man in the
middle could steal authorization headers from HTTP traffic, and gain entry to
a server. This naturally impacts all servers implementing SSLv3 protocols,
including the perfSONAR Toolkit. There are no reports of perfSONAR servers
being victimized by this vulnerability, but the risk is a danger for any
communication that uses the vulnerable libraries.

As of this morning (Oct 15 2014) there is not an upstream patch available
from CentOS to correct the underlying problem in the libraries for servers.
Our development team has taken the steps to modify the Apache configuration
on the toolkit to disable use of SSLv3 within the 3.4 release of perfSONAR.
A new package is available in our yum repository that addresses this. We are
recommending that netinstall users:

- Check your logs to see if the package has been automatically downloaded
yet. The package names are perl-perfSONAR_PS-Toolkit-3.4-29.pSPS and
perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.4-29.pSPS

- If you don't see it automatically downloaded, 'yum update' by hand.

A modification to the 3.3.2 release of the LiveCD is being built, but will
take a more time. LiveCD users with concerns can power down, or expedite your
migration to the netinstall platform. There will not be a 3.3 package
released for netinstall users who have not upgraded yet - take this
opportunity to upgrade to 3.4 if possible.

We will keep everyone posted on when a patch from the upstream vendor is
released - for now we are confident that the changes we are implementing on
the server side will reduce the risk this vulnerability poses.

Thanks;

-jason


Archive powered by MHonArc 2.6.16.

Top of Page