Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in vsftpd
Environment
- Red Hat Enterprise Linux 5, 6, 7
Issue
- How do I avoid impact to vsftpd from CVE-2014-3566?
Resolution
By default, SSL/TLS is not enabled for vsftpd. You may have configured vsftpd to enable SSL/TLS by adding the following line to /etc/vsftpd/vsftpd.conf
ssl_enable=YES
If SSL/TLS is enabled, add the following lines to /etc/vsftpd/vsftpd.conf in order to only allow usage of TLSv1, not SSLv2 or SSLv3:
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
Once complete, restart vsftpd:
# service vsftpd restart
Root Cause
A vulnerability was found in the SSLv3.0 protocol. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. For more information about this vulnerability, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
Diagnostic Steps
For diagnostic steps, refer to the following article: POODLE: SSLv3.0 vulnerability (CVE-2014-3566)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments