Network Management

Hi All,

AirWave is vulnerable to the new POODLE SSL Vulnerability defined in CVE-2014-3566. In order to mitigate the vulnerability we need to disable the SSLv3 and SSLv2 Ciphers in the pound proxy configuration. This is done by doing the following. This was tested on AMP version 7.7.12.

1) Make a backup of your pound.cfg file:

cp /etc/pound.cfg /etc/pound.cfg.old

2) Edit the allowed Ciphers to remove SSLv2 and SSLv3:

sed -i 's/"DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA"/"ALL:!SSLv2:!SSLv3"/' /etc/pound.cfg

3) Restart the Pound process:

service pound restart

4) Confirm that SSLv3 is now disabled:

curl -3 amp-server-hostname > /dev/null

or

wget --sercure-protocol=SSLv3 -O /dev/null amp-server-hostname

For more information about the vulnerability checkout the openssl.org white paper

Cheers,

Aaron

Note that this will also break TLS1.0, due to some strangeness in how OpenSSL works.  As long as you have a browser that supports TLS1.1 or TLS1.2, that's OK.

There will be a couple AirWave patch releases posted soon (this week I believe) with a "correct" fix.

Most modern browsers support TLS1.1 or TLS1.2 so this shouldn't be a problem.

A quick update for all.

We noticed today that the VisualRF process connects to the rest of AMP using SSLv3. So implementing this fix for the shortterm will break VisualRF. Log included below. Is there a workaround for this or will we need revert and wait until the patch is released?

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1965)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:393)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:168)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:393)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.airwave.core.AbstractXmlQuery.prepareClientLogin(AbstractXmlQuery.java:285)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:332)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:311)
at com.airwave.core.AbstractXmlQuery.execute(AbstractXmlQuery.java:117)
at com.airwave.core.AbstractXmlQuery.open(AbstractXmlQuery.java:213)
at com.airwave.svg.ConfigurationServiceImpl.processOverrides(ConfigurationServiceImpl.java:63)
at com.airwave.svg.ConfigurationServiceImpl.<init>(ConfigurationServiceImpl.java:30)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.ServiceLocator.providers(ServiceLocator.java:394)
at com.airwave.core.ServiceLocator.lookup(ServiceLocator.java:153)
at com.airwave.svg.init.Startup.<init>(Startup.java:353)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.sys.Bootstrapper.main(Bootstrapper.java:92)
2014-10-22 13:19:04,152 ERROR Main com.airwave.amp.ConfigurationParserImpl execute
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1965)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:393)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:168)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:393)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.airwave.core.AbstractXmlQuery.prepareClientLogin(AbstractXmlQuery.java:285)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:332)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:311)
at com.airwave.core.AbstractXmlQuery.execute(AbstractXmlQuery.java:117)
at com.airwave.core.AbstractXmlQuery.open(AbstractXmlQuery.java:213)
at com.airwave.svg.ConfigurationServiceImpl.processOverrides(ConfigurationServiceImpl.java:63)
at com.airwave.svg.ConfigurationServiceImpl.<init>(ConfigurationServiceImpl.java:30)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.ServiceLocator.providers(ServiceLocator.java:394)
at com.airwave.core.ServiceLocator.lookup(ServiceLocator.java:153)
at com.airwave.svg.init.Startup.<init>(Startup.java:353)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.sys.Bootstrapper.main(Bootstrapper.java:92)
2014-10-22 13:19:04,153 ERROR Main com.airwave.svg.ConfigurationServiceImpl processOverrides
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1965)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:393)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:168)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:393)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.airwave.core.AbstractXmlQuery.prepareClientLogin(AbstractXmlQuery.java:285)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:332)
at com.airwave.core.AbstractXmlQuery.prepareMethod(AbstractXmlQuery.java:311)
at com.airwave.core.AbstractXmlQuery.execute(AbstractXmlQuery.java:117)
at com.airwave.core.AbstractXmlQuery.open(AbstractXmlQuery.java:213)
at com.airwave.svg.ConfigurationServiceImpl.processOverrides(ConfigurationServiceImpl.java:63)
at com.airwave.svg.ConfigurationServiceImpl.<init>(ConfigurationServiceImpl.java:30)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.ServiceLocator.providers(ServiceLocator.java:394)
at com.airwave.core.ServiceLocator.lookup(ServiceLocator.java:153)
at com.airwave.svg.init.Startup.<init>(Startup.java:353)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.airwave.core.sys.Bootstrapper.main(Bootstrapper.java:92)