ESA-28: Update on the POODLE Attack
1 view
Skip to first unread message
Eucalyptus Security Team
Oct 20, 2014, 1:57:18 PM10/20/14
to security...@eucalyptus.com
ESA-28: The POODLE Attack
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-28
Issue Date: 2014-10-15
Last Updated: 2014-10-20
Severity Level: Important
Affected Products: Eucalyptus Management Console, Eucalyptus 4.0
CVE Number: CVE-2014-3566
====================================================================
OVERVIEW
------------
The Padding Oracle On Downgraded Legacy Encryption (POODLE) attack affects SSL 3.0 and allows for a man-in-the-middle attack against SSL/TLS connections. This vulnerability affects Eucalyptus Management Console when HTTPS is used. It also can affect load balancers created using eucalyptus-load-balancer-image v1.0.5-1.1.2 if SSL or HTTPS protocols are used. We recommend disabling SSL 3.0 on the console to address this issue. An updated eucalyptus-load-balancer-image package is now available for Eucalyptus 4.0. We recommend updating all affected EMIs and instances launched from them as soon as possible.
DESCRIPTION
-------------
The POODLE attack has been announced against SSL 3.0:
https://www.openssl.org/~bodo/ssl-poodle.pdf
This vulnerability allows for a man-in-the-middle attack against SSL/TLS connections. If an application repeatedly sends the same data over an SSL 3.0 connection, a selected byte of a cipher text can be decrypted by an attacker in as few as 256 tries. This vulnerability can be exploited if both a client and a server support SSL 3.0. The attack can allow to, for example, steal secure cookies in web applications.
All versions of Eucalyptus Management Console are affected by the vulnerability.
This vulnerability also affects HTTPS/SSL load balancers created from eucalyptus-load-balancer-image v1.0.5-1.1.2. This specifically affects any load balancers that work with applications that repeatedly send (or can be forced to repeatedly send) sensitive data over SSL.
SOLUTION
-------------
As of Eucalyptus Management Console 4.0.0, nginx is required to enable secure communication with the console:
https://www.eucalyptus.com/docs/eucalyptus/4.0.1/index.html#shared/console_config_ssl_certs.html
To disable SSL 3.0 on nginx, add the following line to the SSL configuration section in /etc/nginx/nginx.conf:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
New eucalyptus-load-balancer-image package with disabled SSL 3.0 is now available for Eucalyptus 4.0:
eucalyptus-load-balancer-image-1.1.3-0.90.36.el6.x86_64.rpm
WORKAROUND
-------------
Disabling SSL 3.0 support on the client (such as in the browser) is a sufficient measure to protect against the POODLE attack.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-28
Issue Date: 2014-10-15
Last Updated: 2014-10-20
Severity Level: Important
Affected Products: Eucalyptus Management Console, Eucalyptus 4.0
CVE Number: CVE-2014-3566
====================================================================
OVERVIEW
------------
The Padding Oracle On Downgraded Legacy Encryption (POODLE) attack affects SSL 3.0 and allows for a man-in-the-middle attack against SSL/TLS connections. This vulnerability affects Eucalyptus Management Console when HTTPS is used. It also can affect load balancers created using eucalyptus-load-balancer-image v1.0.5-1.1.2 if SSL or HTTPS protocols are used. We recommend disabling SSL 3.0 on the console to address this issue. An updated eucalyptus-load-balancer-image package is now available for Eucalyptus 4.0. We recommend updating all affected EMIs and instances launched from them as soon as possible.
DESCRIPTION
-------------
The POODLE attack has been announced against SSL 3.0:
https://www.openssl.org/~bodo/ssl-poodle.pdf
This vulnerability allows for a man-in-the-middle attack against SSL/TLS connections. If an application repeatedly sends the same data over an SSL 3.0 connection, a selected byte of a cipher text can be decrypted by an attacker in as few as 256 tries. This vulnerability can be exploited if both a client and a server support SSL 3.0. The attack can allow to, for example, steal secure cookies in web applications.
All versions of Eucalyptus Management Console are affected by the vulnerability.
This vulnerability also affects HTTPS/SSL load balancers created from eucalyptus-load-balancer-image v1.0.5-1.1.2. This specifically affects any load balancers that work with applications that repeatedly send (or can be forced to repeatedly send) sensitive data over SSL.
SOLUTION
-------------
As of Eucalyptus Management Console 4.0.0, nginx is required to enable secure communication with the console:
https://www.eucalyptus.com/docs/eucalyptus/4.0.1/index.html#shared/console_config_ssl_certs.html
To disable SSL 3.0 on nginx, add the following line to the SSL configuration section in /etc/nginx/nginx.conf:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
New eucalyptus-load-balancer-image package with disabled SSL 3.0 is now available for Eucalyptus 4.0:
eucalyptus-load-balancer-image-1.1.3-0.90.36.el6.x86_64.rpm
WORKAROUND
-------------
Disabling SSL 3.0 support on the client (such as in the browser) is a sufficient measure to protect against the POODLE attack.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at secu...@eucalyptus.com.
Reply all
Reply to author
Forward
0 new messages