Skip to Content.
Sympa Menu

perfsonar-announce - Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

Subject: perfSONAR Announcements

List archive

Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)


Chronological Thread 
  • From: "Roderick Mooi" <>
  • To: "perfsonar-user" <>, "perfsonar-announce" <>
  • Cc: "" <>
  • Subject: Re: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
  • Date: Thu, 16 Oct 2014 09:37:47 +0200

Hi all

For 3.3., as I understand these articles, disabling SSLv3 (if that's an
option for you) should mitigate the vulnerability.

https://access.redhat.com/articles/1232123
https://access.redhat.com/solutions/1232413

In /etc/httpd/conf.d/ssl.conf
remove +SSLv3 from the line:
SSLProtocol -ALL +SSLv3 +TLSv1
so that it becomes:
SSLProtocol -ALL +TLSv1
and restart httpd
service httpd restart

Regards,

Roderick

>>> On 2014-10-15 at 17:01, Jason Zurawski
>>> <>
>>> wrote:
> Greetings;
>
> This morning a new vulnerability in the SSLv3 libraries was disclosed. The
> colloquial name is 'POODLE', keeping up this year's tradition of catchy
> ways
> to make you feel better about how you will spend part of your day patching
> devices. A write up is available here:
>
> https://access.redhat.com/articles/1232123
>
> And the full CVE from Redhat is here:
>
> https://access.redhat.com/security/cve/CVE-2014-3566
>
> The best way to summarize the risk is that someone attempting a man in the
> middle could steal authorization headers from HTTP traffic, and gain entry
> to
> a server. This naturally impacts all servers implementing SSLv3 protocols,
> including the perfSONAR Toolkit. There are no reports of perfSONAR servers
> being victimized by this vulnerability, but the risk is a danger for any
> communication that uses the vulnerable libraries.
>
> As of this morning (Oct 15 2014) there is not an upstream patch available
> from CentOS to correct the underlying problem in the libraries for servers.
>
> Our development team has taken the steps to modify the Apache configuration
> on the toolkit to disable use of SSLv3 within the 3.4 release of perfSONAR.
>
> A new package is available in our yum repository that addresses this. We
> are
> recommending that netinstall users:
>
> - Check your logs to see if the package has been automatically downloaded
> yet. The package names are perl-perfSONAR_PS-Toolkit-3.4-29.pSPS and
> perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.4-29.pSPS
>
> - If you don't see it automatically downloaded, 'yum update' by hand.
>
> A modification to the 3.3.2 release of the LiveCD is being built, but will
> take a more time. LiveCD users with concerns can power down, or expedite
> your
> migration to the netinstall platform. There will not be a 3.3 package
> released for netinstall users who have not upgraded yet - take this
> opportunity to upgrade to 3.4 if possible.
>
> We will keep everyone posted on when a patch from the upstream vendor is
> released - for now we are confident that the changes we are implementing on
> the server side will reduce the risk this vulnerability poses.
>
> Thanks;
>
> -jason
> --
> This message is subject to the CSIR's copyright terms and conditions,
> e-mail
> legal notice, and implemented Open Document Format (ODF) standard.
> The full disclaimer details can be found at
> http://www.csir.co.za/disclaimer.html.
>
> This message has been scanned for viruses and dangerous content by
> MailScanner,
> and is believed to be clean.
>
> Please consider the environment before printing this email.


--
This message is subject to the CSIR's copyright terms and conditions, e-mail
legal notice, and implemented Open Document Format (ODF) standard.
The full disclaimer details can be found at
http://www.csir.co.za/disclaimer.html.

This message has been scanned for viruses and dangerous content by
MailScanner,
and is believed to be clean.

Please consider the environment before printing this email.




Archive powered by MHonArc 2.6.16.

Top of Page