Mitigating the CVE-2014-3566 SSLv3 "POODLE" Vulnerability on the X-Series Platform

book

Article ID: 168192

calendar_today

Updated On:

Products

XOS

Issue/Introduction

All XOS versions ship with an embedded Web server that is potentially vulnerable to the CVE-2014-3566 OpenSSL Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. CVE-2014-3566 exploits weaknesses in the SSLv3 protocol to enable man-in-the-middle attacks allowing access to clear text data within HTTPS sessions. Symantec recommends that you make the configuration change described in this article to prevent possible exploitation of this vulnerability.

About the XOS Web Server

  • The embedded Web server is not enabled by default. It only runs if it has been enabled via the configure web-server CLI command. If enabled, the embedded Web server will communicate via SSLv3 when requested by a client. To determine if the Web server is enabled on your chassis, use the CLI command show web-server.
  • The embedded Web server is only used to host the Greenlight Element Manager (GEM) health monitoring application. GEM displays primarily read-only health and statistical information for the chassis and provides the ability to retrieve chassis log files. The GEM application does not allow a user to reconfigure the chassis or modify the chassis state.
  • The embedded Web server can only be accessed via the CPM management ports and can never be accessed via data ports on the NPM modules. In a secure installation, it is expected that the CPM management ports are connected to a trusted management network and do not have direct access to the Internet. Access to the Web server can be further restricted to trusted client devices or subnets by configuring access control lists on the CPM module.
  • If you do not use GEM, you can disable the Web server by issuing the CLI command configure no web-server. If you do use GEM, you can specifically disable SSLv3 by following the steps in the workaround below.

Cause

From Red Hat:

Bugzilla: 1152789: CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack

Details

A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.

Statement

This issue affects the version of openssl as shipped with Red Hat Enterprise Linux 5, 6 and 7, Red Hat JBoss Enterprise Application Platform 5 and 6, and Red Hat JBoss Web Server 1 and 2, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1. Additional information can be found in the Red Hat Knowledgebase article:
https://access.redhat.com/articles/1232123

Resolution

A fix for this vulnerability will be available in XOS V11.0, and in the XOS V10.0.3, XOS V9.7.6, and XOS V9.6.10 maintenance releases.

Workaround

To mitigate this vulnerability, you can explicitly disable SSLv3 in affected packages. This workaround applies to XOS V10.0.x, XOS V9.7.x, XOS V9.6.x, and XOS V9.5.x. Customers running earlier releases of XOS are advised to upgrade before applying this workaround.

To disable SSLv3 and force use of TLS by the Tomcat server, do the following:

  1. Log into the primary CPM.
  2. From the XOS CLI, stop the Web server
    CBS# configure no web-server
  3. Access the Linux prompt as root user and change to the Tomcat directory.
    CBS# un su
    Password:
    [[email protected] admin]# cd /etc/tomcat5
  4. Open the server.xml file in the tomcat5 directory for editing and locate the HTTP connector definition. XOS V10.0.x and XOS V9.7.x use port 443 for the HTTP Connector. XOS V9.6.x uses port 5443. Depending on the version of XOS installed, the definition will look approximately like this:
    <Connector port="443" maxHttpHeaderSize="8192"
                   maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   keystore="conf/keystore" keypass="*****"
                   clientAuth="false" sslProtocol="TLS" />
  5. Add the protocols attribute to the HTTP connector definition, with the values shown in last line of the example below.
    <Connector port="443" maxHttpHeaderSize="8192"
                    maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                    enableLookups="false" disableUploadTimeout="true"
                    acceptCount="100" scheme="https" secure="true"
                    keystore="conf/keystore" keypass="*****"
                    clientAuth="false" sslProtocol="TLS" 
                    protocols="TLSv1,TLSv1.1,TLSv1.2" />   <--- Add protocols attribute
  6. Save the changes, then exit to the XOS CLI.
    [[email protected] tomcat5]# exit
    CBS#
  7. Restart the Tomcat Web server.
    CBS# configure web-server
  8. To verify that SSLv3 is disabled, make sure that the Web server is enabled, and then run the following command from the Unix prompt. The output confirms that SSLv3 has been successfully disabled.
    [[email protected] admin]# curl -s3 --insecure -X GET https://127.0.0.1 > /dev/null ||  echo "ssl3 disabled"
    ssl3 disabled


Important: If you have a CP Redundancy configuration, make the same change on the secondary CPM.