Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

From: Paul Howell <phowell () INTERNET2 EDU>
Date: Wed, 15 Oct 2014 16:44:09 +0000
Hi,

Given the large deployment of perfSONAR in our environments, I wanted to share the following.

Regards.
Paul Howell
Chief Cyberinfrastructure Security Officer
Internet2


Begin forwarded message:

From: Jason Zurawski <zurawski () es net<mailto:zurawski () es net>>
Subject: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
Date: October 15, 2014 at 11:01:17 AM EDT
To: perfsonar-user <perfsonar-user () internet2 edu<mailto:perfsonar-user () internet2 edu>>, perfsonar-announce 
<perfsonar-announce () perfsonar net<mailto:perfsonar-announce () perfsonar net>>
Cc: "perfsonar-developer () internet2 edu<mailto:perfsonar-developer () internet2 edu>" <perfsonar-developer () 
internet2 edu<mailto:perfsonar-developer () internet2 edu>>
Reply-To: "perfsonar-developer () internet2 edu<mailto:perfsonar-developer () internet2 edu>" <perfsonar-developer () 
internet2 edu<mailto:perfsonar-developer () internet2 edu>>

Greetings;

This morning a new vulnerability in the SSLv3 libraries was disclosed.  The colloquial name is 'POODLE', keeping up 
this year's tradition of catchy ways to make you feel better about how you will spend part of your day patching 
devices.  A write up is available here:

https://access.redhat.com/articles/1232123

And the full CVE from Redhat is here:

https://access.redhat.com/security/cve/CVE-2014-3566

The best way to summarize the risk is that someone attempting a man in the middle could steal authorization headers 
from HTTP traffic, and gain entry to a server.  This naturally impacts all servers implementing SSLv3 protocols, 
including the perfSONAR Toolkit.  There are no reports of perfSONAR servers being victimized by this vulnerability, but 
the risk is a danger for any communication that uses the vulnerable libraries.

As of this morning (Oct 15 2014) there is not an upstream patch available from CentOS to correct the underlying problem 
in the libraries for servers.  Our development team has taken the steps to modify the Apache configuration on the 
toolkit to disable use of SSLv3 within the 3.4 release of perfSONAR.  A new package is available in our yum repository 
that addresses this.  We are recommending that netinstall users:

- Check your logs to see if the package has been automatically downloaded yet.  The package names are 
perl-perfSONAR_PS-Toolkit-3.4-29.pSPS and perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.4-29.pSPS

- If you don't see it automatically downloaded, 'yum update' by hand.

A modification to the 3.3.2 release of the LiveCD is being built, but will take a more time. LiveCD users with concerns 
can power down, or expedite your migration to the netinstall platform.  There will not be a 3.3 package released for 
netinstall users who have not upgraded yet - take this opportunity to upgrade to 3.4 if possible.

We will keep everyone posted on when a patch from the upstream vendor is released - for now we are confident that the 
changes we are implementing on the server side will reduce the risk this vulnerability poses.

Thanks;

-jason
Previous By Date Next
Previous By Thread Next

Current thread: