Thursday, August 13, 2015

Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in httpd: Migrate to TLS

 Issue

  • How do I avoid impact to httpd from CVE-2014-3566?

Environment

  • Red Hat Enterprise Linux 5, 6, 7
  • Red Hat JBoss Enterprise Application Platform (EAP) 5, 6
  • JBoss Enterprise Web Server (EWS) 1, 2
  • Inktank Ceph Enterprise (ICE) 1
  • Red Hat Storage Console
  • Red Hat Enterprise Virtualization

Resolution

To avoid this vulnerability, Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, or enable them by default. However use of SSLv2 or SSLv3 is now strongly recommended against.
The SSL/TLS support in httpd can be provided by the mod_ssl module using the OpenSSL library, or by the mod_nss module using the NSS library.
Examples below enable all TLS versions currently supported by specified product versions.

Disabling SSL 3.0 in mod_ssl

To mitigate this vulnerability as it affects httpd using mod_ssl, set the SSLProtocol directive as follows in/etc/httpd/conf.d/ssl.conf:
Note: This directive must either be located at the topmost level of the configuration file, or inside the default virtual host configuration for an address.
Option 1: Disable SSLv2 and SSLv3 (Enable everything except SSLv2 and SSLv3)
    SSLProtocol All -SSLv2 -SSLv3
Then restart httpd:
    # service httpd restart
Option 2: Disable everything except TLSv1.x
On Red Hat Enterprise Linux 7 or Red Hat Enterprise Linux 6.6 and later:
    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
On other platforms, including Red Hat Enterprise Linux 5
    SSLProtocol -All +TLSv1
Then restart httpd:
    # service httpd restart

Disabling SSL 3.0 in mod_nss

To mitigate this vulnerability as it affects httpd using mod_nss, set the NSSProtocol directive as follows in/etc/httpd/conf.d/nss.conf:
Red Hat Enterprise Linux 6 and later:
  NSSProtocol TLSv1.0,TLSv1.1
Red Hat Enterprise Linux 5:
  NSSProtocol TLSv1.0
Then restart httpd:
    # service httpd restart

Root Cause

A vulnerability was found in the SSLv3.0 protocol. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. For more information about this vulnerability, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

Diagnostic Steps

For diagnostic steps, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

No comments:

Post a Comment