Network Management

Reply
New Contributor

Disabling SSLv3 for POODLE Vulnerability CVE-2014-3566

Hi All,

 

AirWave is vulnerable to the new POODLE SSL Vulnerability defined in CVE-2014-3566. In order to mitigate the vulnerability we need to disable the SSLv3 and SSLv2 Ciphers in the pound proxy configuration. This is done by doing the following. This was tested on AMP version 7.7.12.

 

1) Make a backup of your pound.cfg file:

 

cp /etc/pound.cfg /etc/pound.cfg.old

 

2) Edit the allowed Ciphers to remove SSLv2 and SSLv3:

 

sed -i 's/"DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3"/' /etc/pound.cfg

 

3) Restart the Pound process:

 

service pound restart

 

4) Confirm that SSLv3 is now disabled:

 

curl -3 amp-server-hostname > /dev/null

 

or

 

wget --sercure-protocol=SSLv3 -O /dev/null amp-server-hostname

 

For more information about the vulnerability checkout the openssl.org white paper

 

Cheers,

 

Aaron

Moderator

Re: Disabling SSLv3 for POODLE Vulnerability CVE-2014-3566

Note that this will also break TLS1.0, due to some strangeness in how OpenSSL works.  As long as you have a browser that supports TLS1.1 or TLS1.2, that's OK.


There will be a couple AirWave patch releases posted soon (this week I believe) with a "correct" fix.

---
Jon Green, ACMX, CISSP
Security Guy
New Contributor

Re: Disabling SSLv3 for POODLE Vulnerability CVE-2014-3566

Most modern browsers support TLS1.1 or TLS1.2 so this shouldn't be a problem.

New Contributor

Re: Disabling SSLv3 for POODLE Vulnerability CVE-2014-3566

A quick update for all.

 

We noticed today that the VisualRF process connects to the rest of AMP using SSLv3. So implementing this fix for the shortterm will break VisualRF. Log included below. Is there a workaround for this or will we need revert and wait until the patch is released?

 

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1965)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:393)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:168)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:393)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.airwave.core.AbstractXmlQuery.prepareClientLogin(AbstractXmlQuery.java:285)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:332)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:311)
at com.airwave.core.AbstractXmlQuery.execute(AbstractXmlQuery.java:117)
at com.airwave.core.AbstractXmlQuery.open(AbstractXmlQuery.java:213)
at com.airwave.svg.ConfigurationServiceImpl.processOverrides(ConfigurationServiceImpl.java:63)
at com.airwave.svg.ConfigurationServiceImpl.<init>(ConfigurationServiceImpl.java:30)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.ServiceLocator.providers(ServiceLocator.java:394)
at com.airwave.core.ServiceLocator.lookup(ServiceLocator.java:153)
at com.airwave.svg.init.Startup.<init>(Startup.java:353)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.sys.Bootstrapper.main(Bootstrapper.java:92)
2014-10-22 13:19:04,152 ERROR Main com.airwave.amp.ConfigurationParserImpl execute
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1965)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:393)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:168)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:393)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.airwave.core.AbstractXmlQuery.prepareClientLogin(AbstractXmlQuery.java:285)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:332)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:311)
at com.airwave.core.AbstractXmlQuery.execute(AbstractXmlQuery.java:117)
at com.airwave.core.AbstractXmlQuery.open(AbstractXmlQuery.java:213)
at com.airwave.svg.ConfigurationServiceImpl.processOverrides(ConfigurationServiceImpl.java:63)
at com.airwave.svg.ConfigurationServiceImpl.<init>(ConfigurationServiceImpl.java:30)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.ServiceLocator.providers(ServiceLocator.java:394)
at com.airwave.core.ServiceLocator.lookup(ServiceLocator.java:153)
at com.airwave.svg.init.Startup.<init>(Startup.java:353)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.sys.Bootstrapper.main(Bootstrapper.java:92)
2014-10-22 13:19:04,153 ERROR Main com.airwave.svg.ConfigurationServiceImpl processOverrides
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1965)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:393)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:168)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:393)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.airwave.core.AbstractXmlQuery.prepareClientLogin(AbstractXmlQuery.java:285)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:332)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:311)
at com.airwave.core.AbstractXmlQuery.execute(AbstractXmlQuery.java:117)
at com.airwave.core.AbstractXmlQuery.open(AbstractXmlQuery.java:213)
at com.airwave.svg.ConfigurationServiceImpl.processOverrides(ConfigurationServiceImpl.java:63)
at com.airwave.svg.ConfigurationServiceImpl.<init>(ConfigurationServiceImpl.java:30)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.ServiceLocator.providers(ServiceLocator.java:394)
at com.airwave.core.ServiceLocator.lookup(ServiceLocator.java:153)
at com.airwave.svg.init.Startup.<init>(Startup.java:353)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.sys.Bootstrapper.main(Bootstrapper.java:92)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: