perfSONAR User Q&A and Other Discussion

["Roderick Mooi" <>]

Hi all

For 3.3., as I understand these articles, disabling SSLv3 (if that's an 
option for you) should mitigate the vulnerability.

https://access.redhat.com/articles/1232123
https://access.redhat.com/solutions/1232413

In /etc/httpd/conf.d/ssl.conf
remove +SSLv3 from the line:
SSLProtocol -ALL +SSLv3 +TLSv1
so that it becomes:
SSLProtocol -ALL +TLSv1
and restart httpd
service httpd restart

Regards,

Roderick

>>> On 2014-10-15 at 17:01, Jason Zurawski 
>>> <>
>>>  wrote:
> Greetings;
> 
> This morning a new vulnerability in the SSLv3 libraries was disclosed.  The 
> colloquial name is 'POODLE', keeping up this year's tradition of catchy 
> ways 
> to make you feel better about how you will spend part of your day patching 
> devices.  A write up is available here:
> 
> https://access.redhat.com/articles/1232123 
> 
> And the full CVE from Redhat is here:
> 
> https://access.redhat.com/security/cve/CVE-2014-3566 
> 
> The best way to summarize the risk is that someone attempting a man in the 
> middle could steal authorization headers from HTTP traffic, and gain entry 
> to 
> a server.  This naturally impacts all servers implementing SSLv3 protocols, 
> including the perfSONAR Toolkit.  There are no reports of perfSONAR servers 
> being victimized by this vulnerability, but the risk is a danger for any 
> communication that uses the vulnerable libraries.  
> 
> As of this morning (Oct 15 2014) there is not an upstream patch available 
> from CentOS to correct the underlying problem in the libraries for servers. 
>  
> Our development team has taken the steps to modify the Apache configuration 
> on the toolkit to disable use of SSLv3 within the 3.4 release of perfSONAR. 
>  
> A new package is available in our yum repository that addresses this.  We 
> are 
> recommending that netinstall users:
> 
>  - Check your logs to see if the package has been automatically downloaded 
> yet.  The package names are perl-perfSONAR_PS-Toolkit-3.4-29.pSPS and 
> perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.4-29.pSPS
> 
>  - If you don't see it automatically downloaded, 'yum update' by hand.  
> 
> A modification to the 3.3.2 release of the LiveCD is being built, but will 
> take a more time. LiveCD users with concerns can power down, or expedite 
> your 
> migration to the netinstall platform.  There will not be a 3.3 package 
> released for netinstall users who have not upgraded yet - take this 
> opportunity to upgrade to 3.4 if possible.  
> 
> We will keep everyone posted on when a patch from the upstream vendor is 
> released - for now we are confident that the changes we are implementing on 
> the server side will reduce the risk this vulnerability poses.  
> 
> Thanks;
> 
> -jason
> -- 
> This message is subject to the CSIR's copyright terms and conditions, 
> e-mail 
> legal notice, and implemented Open Document Format (ODF) standard. 
> The full disclaimer details can be found at 
> http://www.csir.co.za/disclaimer.html.
> 
> This message has been scanned for viruses and dangerous content by 
> MailScanner, 
> and is believed to be clean.
> 
> Please consider the environment before printing this email.


-- 
This message is subject to the CSIR's copyright terms and conditions, e-mail 
legal notice, and implemented Open Document Format (ODF) standard. 
The full disclaimer details can be found at 
http://www.csir.co.za/disclaimer.html.

This message has been scanned for viruses and dangerous content by 
MailScanner, 
and is believed to be clean.

Please consider the environment before printing this email.