Issue
- How do I avoid impact to httpd from CVE-2014-3566?
Environment
- Red Hat Enterprise Linux 5, 6, 7
- Red Hat JBoss Enterprise Application Platform (EAP) 5, 6
- JBoss Enterprise Web Server (EWS) 1, 2
- Inktank Ceph Enterprise (ICE) 1
- Red Hat Storage Console
- Red Hat Enterprise Virtualization
Resolution
To avoid this vulnerability, Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, or enable them by default. However use of SSLv2 or SSLv3 is now strongly recommended against.
The SSL/TLS support in httpd can be provided by the
mod_ssl
module using the OpenSSL library, or by the mod_nss
module using the NSS library.
Examples below enable all TLS versions currently supported by specified product versions.
Disabling SSL 3.0 in mod_ssl
To mitigate this vulnerability as it affects httpd using mod_ssl, set the
SSLProtocol
directive as follows in/etc/httpd/conf.d/ssl.conf
:
Note: This directive must either be located at the topmost level of the configuration file, or inside the default virtual host configuration for an address.
Option 1: Disable SSLv2 and SSLv3 (Enable everything except SSLv2 and SSLv3)
SSLProtocol All -SSLv2 -SSLv3
Then restart httpd:
# service httpd restart
Option 2: Disable everything except TLSv1.x
On Red Hat Enterprise Linux 7 or Red Hat Enterprise Linux 6.6 and later:
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
On other platforms, including Red Hat Enterprise Linux 5
SSLProtocol -All +TLSv1
Then restart httpd:
# service httpd restart
Disabling SSL 3.0 in mod_nss
To mitigate this vulnerability as it affects httpd using mod_nss, set the
NSSProtocol
directive as follows in/etc/httpd/conf.d/nss.conf
:
Red Hat Enterprise Linux 6 and later:
NSSProtocol TLSv1.0,TLSv1.1
Red Hat Enterprise Linux 5:
NSSProtocol TLSv1.0
Then restart httpd:
# service httpd restart
Root Cause
A vulnerability was found in the SSLv3.0 protocol. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. For more information about this vulnerability, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
Diagnostic Steps
For diagnostic steps, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
No comments:
Post a Comment