Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in vsftpd

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux 5, 6, 7

Issue

  • How do I avoid impact to vsftpd from CVE-2014-3566?

Resolution

By default, SSL/TLS is not enabled for vsftpd. You may have configured vsftpd to enable SSL/TLS by adding the following line to /etc/vsftpd/vsftpd.conf

ssl_enable=YES

If SSL/TLS is enabled, add the following lines to /etc/vsftpd/vsftpd.conf in order to only allow usage of TLSv1, not SSLv2 or SSLv3:

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

Once complete, restart vsftpd:

# service vsftpd restart

Root Cause

A vulnerability was found in the SSLv3.0 protocol. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. For more information about this vulnerability, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

Diagnostic Steps

For diagnostic steps, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments