192 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Linuxfest at IBM Connect 2017
Sat, Feb 18th 2017 306
Come to IBM Connect 2017 and See Me Speak in the Developer’s Track!
Thu, Feb 16th 2017 293
Interesting in Going to IBM Connect 2017? Contact me for a $100 Discount
Thu, Jan 19th 2017 5
Notes Domino Templates Get Slated for an Update. Here’s the Roadmap
Mon, Oct 3rd 2016 6
Staying at The Top of Google Searches for Smart Phones
Thu, Sep 29th 2016 9
Awesome Linux Reference Sheets for Developers (and Administrators)
Tue, Sep 27th 2016 6
IMSMO 2.0 (Project Hawthorn) Expands Client Offerings, Crash Avoidance Tip, and an Updated Schema
Mon, Sep 26th 2016 10
Top 10
Linuxfest at IBM Connect 2017
Sat, Feb 18th 2017 306
Come to IBM Connect 2017 and See Me Speak in the Developer’s Track!
Thu, Feb 16th 2017 293
IMSMO 2.0 (Project Hawthorn) Expands Client Offerings, Crash Avoidance Tip, and an Updated Schema
Mon, Sep 26th 2016 10
Skype 4.3 on Linux Crashing? Here’s a Fix.
Tue, Aug 5th 2014 9
Staying at The Top of Google Searches for Smart Phones
Thu, Sep 29th 2016 9
A Conversation with Barry Rosen, at IBM: Part I
Tue, Sep 20th 2016 8
The 2015 Linux Jobs Report Is Out -- Strong Demand Continues
Thu, Mar 5th 2015 7
Train Tips for European Traveling -- Chapter IV
Thu, Mar 31st 2016 7
IBM Verse On-premises Architecture and Insight
Wed, Aug 3rd 2016 7
IBM Verse On-premises Third Post: Updated Schema, New Features
Thu, Sep 22nd 2016 7


New SSL3 Exploit: The POODLE Is Here and Lifting Its Leg
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Bill Malchisky    

Here we go again... another blockbuster security exploit with another clever code name is announced. POODLE (Padding Oracle On Downgraded Legacy Encryption) CVE-2014-3566 specifically allows a man-in-the-middle style attack utilizing an SSL3 connection. Once again, Red Hat does a stellar job offering full details on background, technical specifics, and testing. Google's Online Security Blog post is exceedingly terse when contrasting. Here is what you need to know.

What is It?

CVE-2014-3566 allows one to decrypt ciphertext using a padding oracle side-channel attack.

Severity

It is categorized as a High priority and High Severity, which is the third highest of the former and second highest on the latter. So, although this is a nasty exploit, the damage to your systems could be worse. In the short-run, take care of it.

Red Hat is making this a top priority and has a KB article (#1232123) on the subject. Excerpts are below. Also, Google's security blog has a couple of paragraphs on this exploit and an eye towards a patch for their products.


Testing for the Vulnerability

Run this command on your server or remotely if easier to see if your server is vulnerable. This does not text specific applications on said server that may be configured to use SSLv3

malchw@san-domino:~$ openssl s_client -connect localhost:443 -ssl3

malchw@san-domino:~$ openssl s_client -connect [hostname.foo.com]:443 -ssl3


Note: Change the port number and hostname to suite your specific test case.


Positive result

If you see something similar to this, you are vulnerable
Results - New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA

Server public key is 1024 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

   Protocol  : SSLv3



Negative Result

Else, you are fine, if this excerpt is close to your output:
140128201074504:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40

140128201074504:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:


---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONESSL-Session:



I suspect most servers with SSL will have SSL3 enabled, making the situation more wide-spread than some people may realize. This is operating system agnostic, so Microsoft, IBM, Red Hat, Oracle, VCE, et alia will all have upcoming product lists with affected products and tools, needing attention.


Fixing The Exploit

At this time a proper fix is unavailable. As of midnight EDT on Wednesday, Red Hat has not released a fix yet, but is working on it. Other companies will need to do the same, as well as browser ISVs to ensure compatibility. In the mean time, the suggested work-arounds are as follows:
1. Disable SSLv3 on your servers
2. Even if impractical to do disable SSLv3, consider using TLSv1.1 and TLSv1.2 with the  TLS_FALLBACK_SCSV parameter on your TLS servers enabled (Internet white paper draft available). This process may cause a few issues with some IBM products (to be fair, most vendors products will have issues even temporarily).

Red Hat's in-scope products (at this time) are here:
Product
Affected Component(s)
Red Hat Enterprise Linux Tomcat, Firefox/Chromium, httpd, OpenSSL
JBoss Enterprise Middleware Tomcat/JBoss Web, httpd, OpenSSL
Red Hat Network Satellite Tomcat
Red Hat Certificate System Tomcat
Inktank Ceph Enterprise httpd




Notations

1. Each affected component's hotspot offers a product specific technote on how to address the fix for the specific product and more focused testing too;
2. The table is current at the time of this writing and may expand as a fix is released by Red Hat and other products identified

Google provided a white paper entitled, This POODLE Bites: Exploiting the SSL 3.0 Fallback, which provides greater detail on the TLS suggested settings and the exploit itself. Google is suggesting the use of TLS_FALLBACK_SCSV too.

More later when a fix is released. Good luck.

---------------------
http://www.BillMal.com/billmal/billmal.nsf/dx/ssl3.poodle.intro.htm
Oct 15, 2014
7 hits



Recent Blog Posts
306
Linuxfest at IBM Connect 2017
Sat, Feb 18th 2017 10:54p   Bill Malchisky Jr.
Hi Everyone! Just a quick update on Linuxfest... As I've been involved since Lotusphere 2010 offering the first two Linux Installfests with Joe Litton, and co-offered Linuxfest at Lotusphere, Connect, and ConnectED ever since, I wanted to take a moment and provide a quick update. Wes Morgan and I had a few conversations on this year's event and the new city. We both concluded with the new development schedule within IBM, the we should skip a year. Thus, Linuxfest VIII will be delayed a y
293
Come to IBM Connect 2017 and See Me Speak in the Developer’s Track!
Thu, Feb 16th 2017 7:10p   Bill Malchisky Jr.
Yes, for the first time, I'm speaking in the Development, Design and Tools track. A bit nervous and excited simultaneously. A new audience for me! Fortunately, I'll be co-presenting with Serdar Basegmez to ensure that everyone in the audience will receive quality information from multiple perspectives. Looking forward to attending IBM Connect 2017. See you in San Francisco! Back from the Dead: W/hen Bad Code Kills a Good Server Session link Calendar File: If you never sat-in on a
5
Interesting in Going to IBM Connect 2017? Contact me for a $100 Discount
Thu, Jan 19th 2017 3:06p   Bill Malchisky Jr.
Hi Everyone and Happy New Year to all of you. Best of luck in the new year. I have a couple of posts for IBM Connect in the works. Lets commence new year with a new discount. As an IBM Champion for 2017, IBM is allowing us to offer $100 discounts to friends who may be interested in attending. If you are on the fence, know that the session list is attractive with over 200 being offered. Success stories from customers will be on display, along with the technical labs returning as well. Thus, you c
6
Notes Domino Templates Get Slated for an Update. Here’s the Roadmap
Mon, Oct 3rd 2016 2:05a   Bill Malchisky Jr.
This is the first of two roadmap posts I authored for release this week. Beyond my post last month where I covered lightly that templates would be upgraded, Barry Rosen provided an updated roadmap with two slides covering just Notes Domino Templates. For simplicity, I copy-pasted the prose from the first slide to make it searchable, and appended the time table slide for the second. Nice to see some progress here too. Nice to see that they are filling in the hole created previously from multiple
9
Staying at The Top of Google Searches for Smart Phones
Thu, Sep 29th 2016 2:10a   Bill Malchisky Jr.
Although quality web developers have known for a while, Google wants you to be mobile friendly. Thus, if you want to stay at the top of Google web searches when the customer uses a smart phone, then your web site must display well on mobile phones. If not, Google will lower your weighting and you'll suddenly show farther down the list versus when the same search is performed on a desktop. But never fear, Google offers a free tool to check your site. As I thought this tool is handy, I wanted
6
Awesome Linux Reference Sheets for Developers (and Administrators)
Tue, Sep 27th 2016 2:03p   Bill Malchisky Jr.
A blog post for developers? Yes! Though it is not my first and will not be my last, it has been awhile. As an admin, this reference sheet is also helpful. I learned of a great Vim (vi Improved) reference sheet recently. There is a lot of information on a single sheet of paper, organized quite well and easy to use. If you need a handy reference sheet for vi commands... this is a good one to review. Although it works great in color, but he also offers a gray scale version and one for those with re
10
IMSMO 2.0 (Project Hawthorn) Expands Client Offerings, Crash Avoidance Tip, and an Updated Schema
Mon, Sep 26th 2016 3:17a   Bill Malchisky Jr.
On Thursday, 22 September, IBM Social Business Community Call where Luis Guirigay, Barry Rosen, and Scott Vrusho provided a quality session on IMSMO 2.0, IBM re-announced to a larger international audience new support for Outlook 2010 and 2016. This is exciting news to hear. At ICON US in May, Luis Guirigay stated that the new expanded client support would happen this year and at MWLUG 2016, IBM officially made the announcement--keeping their promise. In my working with the product over the past
7
IBM Verse On-premises Third Post: Updated Schema, New Features
Thu, Sep 22nd 2016 3:16a   Bill Malchisky Jr.
Preface In my previous two blog posts pertaining to Verse On-premises (VOP), please note that a few of the items below were covered here previously. This serves as a metric to ascertain what key items are likely to remain. As cited here on July 18, 2016, IBM is fully committed to and on-track to make a year-end release for this product. IBM is discussing a lot of new VOP items at events in multiple cities/countries; for example MWLUG in Austin, TX. Much of what I reported on August 3, 2016 rema
5
A Conversation with Barry Rosen, at IBM: Part II
Wed, Sep 21st 2016 2:01a   Bill Malchisky Jr.
Below is the completion of my interview with Barry Rosen, IBM Offering Manager for ICS. Enjoy! Notes 9.0.2 and Feature Packs * As indicated in the slide yesterday, the entire feature set of 9.0.2 will not be released into one Feature Pack (FP), but over four. Yes, the next four FPs will introduce what 9.0.2 would have offered. For some, this may be an eternity. Here is how I look at it: If we waited for 9.0.2 to actually be released, we would be looking at a late Q2 '17 release date at th
8
A Conversation with Barry Rosen, at IBM: Part I
Tue, Sep 20th 2016 2:02a   Bill Malchisky Jr.
During ICON UK 2016 in London, I took some time to talk with the IBM Offering Manager for ICS covering IBM Notes, Domino, Verse on Premises, and Sametime, Barry Rosen. Our initial Q&A turned into about a 30 minute dialogue, which I found quite informative. With his permission, I am posting the more interesting parts of our conversation. Acknowledging Reality To Reset the Norm IBM recognizes --- as do their customers and BPs --- that over the previous three years, they became a rudder




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition