Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) for components that do not allow SSLv3 to be disabled via configuration settings
Environment
- Red Hat Enterprise Linux 5, 6, 7
Issue
- How do I address CVE-2014-3566 for components that do not allow SSLv3 to be disabled via configuration settings?
- How do I avoid impact to OpenLDAP from CVE-2014-3566?
- How do I avoid impact to cups from CVE-2014-3566?
- For JBOSSEAP 5.2.0, I can't find security advisories of CVE-2014-3566 for Linux platform. Where can I find this CVE for Red Hat linux?
Resolution
-Some components do not provide configuration parameters that allow SSLv3 to be disabled. Currently, the following components are known to fall into this category:
- OpenLDAP
- cups
It is possible to disable SSLv3 for these components by using stunnel. Stunnel provides an encryption wrapper between a remote client and a local (inetd-startable) or remote server, using the OpenSSL library for cryptography.
To disable SSLv3 on stunnel, use the following configuration parameters in the stunnel.conf file:
options = NO_SSLv2
options = NO_SSLv3
Installation and configuration of stunnel is outside the scope of this solution, please consult the man pages and system documentation for more details.
Note: Newer openldap-servers has TLSProtocolMin option. If openldap-servers is openldap-servers-2.4.39-8.el6(for RHEL6), openldap-servers-2.4.39-3.el7(for RHEL7) or later, add "TLSProtocolMin 3.1" in slapd.conf to disable SSLv3. You can refer to man slapd.conf.
Root Cause
A vulnerability was found in the SSLv3.0 protocol. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. For more information about this vulnerability, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
Diagnostic Steps
For diagnostic steps, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments