191 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Interesting in Going to IBM Connect 2017? Contact me for a $100 Discount
Thu, Jan 19th 2017 159
Notes Domino Templates Get Slated for an Update. Here’s the Roadmap
Mon, Oct 3rd 2016 7
Staying at The Top of Google Searches for Smart Phones
Thu, Sep 29th 2016 7
Awesome Linux Reference Sheets for Developers (and Administrators)
Tue, Sep 27th 2016 11
IMSMO 2.0 (Project Hawthorn) Expands Client Offerings, Crash Avoidance Tip, and an Updated Schema
Mon, Sep 26th 2016 8
IBM Verse On-premises Third Post: Updated Schema, New Features
Thu, Sep 22nd 2016 11
A Conversation with Barry Rosen, at IBM: Part II
Wed, Sep 21st 2016 7
Top 10
Interesting in Going to IBM Connect 2017? Contact me for a $100 Discount
Thu, Jan 19th 2017 159
IBM Verse On-premises Architecture and Insight
Wed, Aug 3rd 2016 16
Skype 4.3 on Linux Crashing? Here’s a Fix.
Tue, Aug 5th 2014 11
IBM Verse On-premises Third Post: Updated Schema, New Features
Thu, Sep 22nd 2016 11
Awesome Linux Reference Sheets for Developers (and Administrators)
Tue, Sep 27th 2016 11
IMSMO 2.0 (Project Hawthorn) Expands Client Offerings, Crash Avoidance Tip, and an Updated Schema
Mon, Sep 26th 2016 8
How To Receive Ubuntu 12.04 Kernel Updates After 7 August 2014
Wed, Jul 16th 2014 7
Firefox Upgrade Kills iNotes, ICS SSL Product Access with Domino CA/Self-Signed Certs
Sun, Aug 3rd 2014 7
A Conversation with Barry Rosen, at IBM: Part I
Tue, Sep 20th 2016 7
A Conversation with Barry Rosen, at IBM: Part II
Wed, Sep 21st 2016 7


New SSL3 Exploit: The POODLE Is Here and Lifting Its Leg
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Bill Malchisky    

Here we go again... another blockbuster security exploit with another clever code name is announced. POODLE (Padding Oracle On Downgraded Legacy Encryption) CVE-2014-3566 specifically allows a man-in-the-middle style attack utilizing an SSL3 connection. Once again, Red Hat does a stellar job offering full details on background, technical specifics, and testing. Google's Online Security Blog post is exceedingly terse when contrasting. Here is what you need to know.

What is It?

CVE-2014-3566 allows one to decrypt ciphertext using a padding oracle side-channel attack.

Severity

It is categorized as a High priority and High Severity, which is the third highest of the former and second highest on the latter. So, although this is a nasty exploit, the damage to your systems could be worse. In the short-run, take care of it.

Red Hat is making this a top priority and has a KB article (#1232123) on the subject. Excerpts are below. Also, Google's security blog has a couple of paragraphs on this exploit and an eye towards a patch for their products.


Testing for the Vulnerability

Run this command on your server or remotely if easier to see if your server is vulnerable. This does not text specific applications on said server that may be configured to use SSLv3

malchw@san-domino:~$ openssl s_client -connect localhost:443 -ssl3

malchw@san-domino:~$ openssl s_client -connect [hostname.foo.com]:443 -ssl3


Note: Change the port number and hostname to suite your specific test case.


Positive result

If you see something similar to this, you are vulnerable
Results - New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA

Server public key is 1024 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

   Protocol  : SSLv3



Negative Result

Else, you are fine, if this excerpt is close to your output:
140128201074504:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40

140128201074504:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:


---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONESSL-Session:



I suspect most servers with SSL will have SSL3 enabled, making the situation more wide-spread than some people may realize. This is operating system agnostic, so Microsoft, IBM, Red Hat, Oracle, VCE, et alia will all have upcoming product lists with affected products and tools, needing attention.


Fixing The Exploit

At this time a proper fix is unavailable. As of midnight EDT on Wednesday, Red Hat has not released a fix yet, but is working on it. Other companies will need to do the same, as well as browser ISVs to ensure compatibility. In the mean time, the suggested work-arounds are as follows:
1. Disable SSLv3 on your servers
2. Even if impractical to do disable SSLv3, consider using TLSv1.1 and TLSv1.2 with the  TLS_FALLBACK_SCSV parameter on your TLS servers enabled (Internet white paper draft available). This process may cause a few issues with some IBM products (to be fair, most vendors products will have issues even temporarily).

Red Hat's in-scope products (at this time) are here:
Product
Affected Component(s)
Red Hat Enterprise Linux Tomcat, Firefox/Chromium, httpd, OpenSSL
JBoss Enterprise Middleware Tomcat/JBoss Web, httpd, OpenSSL
Red Hat Network Satellite Tomcat
Red Hat Certificate System Tomcat
Inktank Ceph Enterprise httpd




Notations

1. Each affected component's hotspot offers a product specific technote on how to address the fix for the specific product and more focused testing too;
2. The table is current at the time of this writing and may expand as a fix is released by Red Hat and other products identified

Google provided a white paper entitled, This POODLE Bites: Exploiting the SSL 3.0 Fallback, which provides greater detail on the TLS suggested settings and the exploit itself. Google is suggesting the use of TLS_FALLBACK_SCSV too.

More later when a fix is released. Good luck.

---------------------
http://www.BillMal.com/billmal/billmal.nsf/dx/ssl3.poodle.intro.htm
Oct 15, 2014
5 hits



Recent Blog Posts
159
Interesting in Going to IBM Connect 2017? Contact me for a $100 Discount
Thu, Jan 19th 2017 3:06p   Bill Malchisky Jr.
Hi Everyone and Happy New Year to all of you. Best of luck in the new year. I have a couple of posts for IBM Connect in the works. Lets commence new year with a new discount. As an IBM Champion for 2017, IBM is allowing us to offer $100 discounts to friends who may be interested in attending. If you are on the fence, know that the session list is attractive with over 200 being offered. Success stories from customers will be on display, along with the technical labs returning as well. Thus, you c
7
Notes Domino Templates Get Slated for an Update. Here’s the Roadmap
Mon, Oct 3rd 2016 2:05a   Bill Malchisky Jr.
This is the first of two roadmap posts I authored for release this week. Beyond my post last month where I covered lightly that templates would be upgraded, Barry Rosen provided an updated roadmap with two slides covering just Notes Domino Templates. For simplicity, I copy-pasted the prose from the first slide to make it searchable, and appended the time table slide for the second. Nice to see some progress here too. Nice to see that they are filling in the hole created previously from multiple
7
Staying at The Top of Google Searches for Smart Phones
Thu, Sep 29th 2016 2:10a   Bill Malchisky Jr.
Although quality web developers have known for a while, Google wants you to be mobile friendly. Thus, if you want to stay at the top of Google web searches when the customer uses a smart phone, then your web site must display well on mobile phones. If not, Google will lower your weighting and you'll suddenly show farther down the list versus when the same search is performed on a desktop. But never fear, Google offers a free tool to check your site. As I thought this tool is handy, I wanted
11
Awesome Linux Reference Sheets for Developers (and Administrators)
Tue, Sep 27th 2016 2:03p   Bill Malchisky Jr.
A blog post for developers? Yes! Though it is not my first and will not be my last, it has been awhile. As an admin, this reference sheet is also helpful. I learned of a great Vim (vi Improved) reference sheet recently. There is a lot of information on a single sheet of paper, organized quite well and easy to use. If you need a handy reference sheet for vi commands... this is a good one to review. Although it works great in color, but he also offers a gray scale version and one for those with re
8
IMSMO 2.0 (Project Hawthorn) Expands Client Offerings, Crash Avoidance Tip, and an Updated Schema
Mon, Sep 26th 2016 3:17a   Bill Malchisky Jr.
On Thursday, 22 September, IBM Social Business Community Call where Luis Guirigay, Barry Rosen, and Scott Vrusho provided a quality session on IMSMO 2.0, IBM re-announced to a larger international audience new support for Outlook 2010 and 2016. This is exciting news to hear. At ICON US in May, Luis Guirigay stated that the new expanded client support would happen this year and at MWLUG 2016, IBM officially made the announcement--keeping their promise. In my working with the product over the past
11
IBM Verse On-premises Third Post: Updated Schema, New Features
Thu, Sep 22nd 2016 3:16a   Bill Malchisky Jr.
Preface In my previous two blog posts pertaining to Verse On-premises (VOP), please note that a few of the items below were covered here previously. This serves as a metric to ascertain what key items are likely to remain. As cited here on July 18, 2016, IBM is fully committed to and on-track to make a year-end release for this product. IBM is discussing a lot of new VOP items at events in multiple cities/countries; for example MWLUG in Austin, TX. Much of what I reported on August 3, 2016 rema
7
A Conversation with Barry Rosen, at IBM: Part II
Wed, Sep 21st 2016 2:01a   Bill Malchisky Jr.
Below is the completion of my interview with Barry Rosen, IBM Offering Manager for ICS. Enjoy! Notes 9.0.2 and Feature Packs * As indicated in the slide yesterday, the entire feature set of 9.0.2 will not be released into one Feature Pack (FP), but over four. Yes, the next four FPs will introduce what 9.0.2 would have offered. For some, this may be an eternity. Here is how I look at it: If we waited for 9.0.2 to actually be released, we would be looking at a late Q2 '17 release date at th
7
A Conversation with Barry Rosen, at IBM: Part I
Tue, Sep 20th 2016 2:02a   Bill Malchisky Jr.
During ICON UK 2016 in London, I took some time to talk with the IBM Offering Manager for ICS covering IBM Notes, Domino, Verse on Premises, and Sametime, Barry Rosen. Our initial Q&A turned into about a 30 minute dialogue, which I found quite informative. With his permission, I am posting the more interesting parts of our conversation. Acknowledging Reality To Reset the Norm IBM recognizes --- as do their customers and BPs --- that over the previous three years, they became a rudder
2
My Two ICON UK 2016 Session Decks
Mon, Sep 19th 2016 1:00p   Bill Malchisky Jr.
What a great few days in London. Once again, the entire team there did a great job to offer the IBM Community an excellent learning opportunity. Thank you as well to the quality sponsors that committed to ensure this user group would happen. The organizers and the sponsors all deserve our gratitude. From that, I spoke at two sessions: Day 1 - co-presented with Keith Brooks Migration:Impossible... Not so Day 2 - co-presented with Serdar Basegmez Back from the Dead: When Bad Code Kills
16
IBM Verse On-premises Architecture and Insight
Wed, Aug 3rd 2016 2:30a   Bill Malchisky Jr.
Yesterday, IBM provided a preview call for select customers covering IBM Verse On-premises (VOP). Those in attendance were amongst the first to receive updated particulars on this product. I explicitly asked and received permission to provide this information. Here is a subset of relevant items discussed/presented. Disclaimer: As certain features are still being developed, anything and everything below is subject to change. The data below reflects what was presented to me and is believed to b




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition