193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Do You Have An Opinion on the Domino Application Platform Direction? Read This.
Thu, May 18th 2017 277
The ICS on Linux Round Table Session Notes
Mon, May 15th 2017 26
"Why the Largest Companies in the World Count on Linux Servers"
Tue, May 9th 2017 4
Join Barry Rose, Daniel Nash, and Myself for the ICS on Linux Round Table on Monday at Engage!
Sun, May 7th 2017 4
Join Serdar Basegmez and Myself on Tuesday’s TLCC XPages Webinar Series
Mon, May 1st 2017 2
Attention All Loti, ICS Faithful, and IBM Community Members... A New Conference is Coming in 2018!
Fri, Apr 28th 2017 5
Linuxfest at IBM Connect 2017
Sat, Feb 18th 2017 7
Top 10
Do You Have An Opinion on the Domino Application Platform Direction? Read This.
Thu, May 18th 2017 277
The ICS on Linux Round Table Session Notes
Mon, May 15th 2017 26
IBM Verse On-premises Third Post: Updated Schema, New Features
Thu, Sep 22nd 2016 12
IBM Verse On-premises Architecture and Insight
Wed, Aug 3rd 2016 11
Come to IBM Connect 2017 and See Me Speak in the Developer’s Track!
Thu, Feb 16th 2017 11
Linux Bash Bug - Shellshock - is Real: Get Patched (Mac Too)
Thu, Sep 25th 2014 10
How To Receive Ubuntu 12.04 Kernel Updates After 7 August 2014
Wed, Jul 16th 2014 8
New SSL3 Exploit: The POODLE Is Here and Lifting Its Leg
Wed, Oct 15th 2014 8
Linuxfest at IBM Connect 2017
Sat, Feb 18th 2017 7
Travel Tip: Getting Answers to Obscure Travel Questions Before You Depart
Tue, Jul 29th 2014 6


New SSL3 Exploit: The POODLE Is Here and Lifting Its Leg
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Bill Malchisky    

Here we go again... another blockbuster security exploit with another clever code name is announced. POODLE (Padding Oracle On Downgraded Legacy Encryption) CVE-2014-3566 specifically allows a man-in-the-middle style attack utilizing an SSL3 connection. Once again, Red Hat does a stellar job offering full details on background, technical specifics, and testing. Google's Online Security Blog post is exceedingly terse when contrasting. Here is what you need to know.

What is It?

CVE-2014-3566 allows one to decrypt ciphertext using a padding oracle side-channel attack.

Severity

It is categorized as a High priority and High Severity, which is the third highest of the former and second highest on the latter. So, although this is a nasty exploit, the damage to your systems could be worse. In the short-run, take care of it.

Red Hat is making this a top priority and has a KB article (#1232123) on the subject. Excerpts are below. Also, Google's security blog has a couple of paragraphs on this exploit and an eye towards a patch for their products.


Testing for the Vulnerability

Run this command on your server or remotely if easier to see if your server is vulnerable. This does not text specific applications on said server that may be configured to use SSLv3

malchw@san-domino:~$ openssl s_client -connect localhost:443 -ssl3

malchw@san-domino:~$ openssl s_client -connect [hostname.foo.com]:443 -ssl3


Note: Change the port number and hostname to suite your specific test case.


Positive result

If you see something similar to this, you are vulnerable
Results - New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA

Server public key is 1024 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

   Protocol  : SSLv3



Negative Result

Else, you are fine, if this excerpt is close to your output:
140128201074504:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40

140128201074504:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:


---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONESSL-Session:



I suspect most servers with SSL will have SSL3 enabled, making the situation more wide-spread than some people may realize. This is operating system agnostic, so Microsoft, IBM, Red Hat, Oracle, VCE, et alia will all have upcoming product lists with affected products and tools, needing attention.


Fixing The Exploit

At this time a proper fix is unavailable. As of midnight EDT on Wednesday, Red Hat has not released a fix yet, but is working on it. Other companies will need to do the same, as well as browser ISVs to ensure compatibility. In the mean time, the suggested work-arounds are as follows:
1. Disable SSLv3 on your servers
2. Even if impractical to do disable SSLv3, consider using TLSv1.1 and TLSv1.2 with the  TLS_FALLBACK_SCSV parameter on your TLS servers enabled (Internet white paper draft available). This process may cause a few issues with some IBM products (to be fair, most vendors products will have issues even temporarily).

Red Hat's in-scope products (at this time) are here:
Product
Affected Component(s)
Red Hat Enterprise Linux Tomcat, Firefox/Chromium, httpd, OpenSSL
JBoss Enterprise Middleware Tomcat/JBoss Web, httpd, OpenSSL
Red Hat Network Satellite Tomcat
Red Hat Certificate System Tomcat
Inktank Ceph Enterprise httpd




Notations

1. Each affected component's hotspot offers a product specific technote on how to address the fix for the specific product and more focused testing too;
2. The table is current at the time of this writing and may expand as a fix is released by Red Hat and other products identified

Google provided a white paper entitled, This POODLE Bites: Exploiting the SSL 3.0 Fallback, which provides greater detail on the TLS suggested settings and the exploit itself. Google is suggesting the use of TLS_FALLBACK_SCSV too.

More later when a fix is released. Good luck.

---------------------
http://www.BillMal.com/billmal/billmal.nsf/dx/ssl3.poodle.intro.htm
Oct 15, 2014
9 hits



Recent Blog Posts
277
Do You Have An Opinion on the Domino Application Platform Direction? Read This.
Thu, May 18th 2017 6:15a   Bill Malchisky Jr.
As Barry Rosen mentioned during our Engage session last week, ICS Offering Management is seeking feedback around the Domino application platform. This opportunity is significant enough that I felt it appropriate to author a separate post. Currently, IBM is looking for feedback in the areas of APIs, XPages, Domino on Bluemix, Docker, and well, anything else you want to add in the development space. I took the survey and found it to be straight forward with plenty of opportunity to provide you
26
The ICS on Linux Round Table Session Notes
Mon, May 15th 2017 6:00a   Bill Malchisky Jr.
Great session last Monday. We filled the table with overflow and discussed many good topics raised by the attendees. Below are the notes and some of the URLs cited during the event. Please feel free to comment and keep the discussion going. IBM Notes FP7 is the last update for the Linux client;, no further feature packs will be offered for the Linux client Support will be best effort from here and will continued to be support up to 9.0.1 FP7 on thee then current set of operating systems.
4
"Why the Largest Companies in the World Count on Linux Servers"
Tue, May 9th 2017 3:00a   Bill Malchisky Jr.
I read this morning a great piece in Linux Journal by Petros Koutoupis. The author's name being new to me, I read the article with an open mind. What I found is this introductory level article offered a decent dissection of this important topic. As I've covered over the years in my Lotus on Linux Report presentation series, more companies outside of Microsoft use Linux for their edge servers than any other operating system. That data point continues to this day. Additionally, despite recent de
4
Join Barry Rose, Daniel Nash, and Myself for the ICS on Linux Round Table on Monday at Engage!
Sun, May 7th 2017 4:30p   Bill Malchisky Jr.
This year at Engage in Antwerp, Belgium, I am speaking with Barry Rosen of IBM and Daniel Nash. We are covering all things ICS related on Linux. Happy to have the opportunity to present with both Barry and Daniel on such a topic. A lot has changed in the past six months with IBM's support for Linux. This is the session to learn about those changes and provide input directly to IBM. Looking forward to a great discussion and learning experience. See you on Monday! Date: Monday, May 8 Time: 11
2
Join Serdar Basegmez and Myself on Tuesday’s TLCC XPages Webinar Series
Mon, May 1st 2017 4:43p   Bill Malchisky Jr.
On Tuesday, May 2, Back from the Dead goes live via the TLCC's XPages Webinar Series, sponsored by Teamstudio! Time: 10:30 AM EDT / 9:30 AM CDT / 7:30 AM PDT / 3:30 PM BST / 4:30 PM CEDT Register Here! It's free! Back from the Dead: When Bad Code Kills a Good Server It's Friday and a new customer calls. Their mission critical app is taking :05 to open documents and the users are quite concerned. Where do you start when handed a 20 year old application you have never seen, on a serv
5
Attention All Loti, ICS Faithful, and IBM Community Members... A New Conference is Coming in 2018!
Fri, Apr 28th 2017 6:05a   Bill Malchisky Jr.
IBM Think 2018. Bringing together World of Watson and InterConnect to form the technology industry's most important event Great news! I am very excited to report that IBM is doing something excellent with their conferences next year. IBM is combining Connect, InterConnect, World of Watson, PartnerWorld, Edge, Amplify, and Vision all into one massive technology show in 2018. What is this conference called? IBM Think 2018! In my opinion, this is a logical move with IBM recognizing customers a
7
Linuxfest at IBM Connect 2017
Sat, Feb 18th 2017 10:54p   Bill Malchisky Jr.
Hi Everyone! Just a quick update on Linuxfest... As I've been involved since Lotusphere 2010 offering the first two Linux Installfests with Joe Litton, and co-offered Linuxfest at Lotusphere, Connect, and ConnectED ever since, I wanted to take a moment and provide a quick update. Wes Morgan and I had a few conversations on this year's event and the new city. We both concluded with the new development schedule within IBM, the we should skip a year. Thus, Linuxfest VIII will be delayed a y
11
Come to IBM Connect 2017 and See Me Speak in the Developer’s Track!
Thu, Feb 16th 2017 7:10p   Bill Malchisky Jr.
Yes, for the first time, I'm speaking in the Development, Design and Tools track. A bit nervous and excited simultaneously. A new audience for me! Fortunately, I'll be co-presenting with Serdar Basegmez to ensure that everyone in the audience will receive quality information from multiple perspectives. Looking forward to attending IBM Connect 2017. See you in San Francisco! Back from the Dead: W/hen Bad Code Kills a Good Server Session link Calendar File: If you never sat-in on a
5
Interesting in Going to IBM Connect 2017? Contact me for a $100 Discount
Thu, Jan 19th 2017 3:06p   Bill Malchisky Jr.
Hi Everyone and Happy New Year to all of you. Best of luck in the new year. I have a couple of posts for IBM Connect in the works. Lets commence new year with a new discount. As an IBM Champion for 2017, IBM is allowing us to offer $100 discounts to friends who may be interested in attending. If you are on the fence, know that the session list is attractive with over 200 being offered. Success stories from customers will be on display, along with the technical labs returning as well. Thus, you c
4
Notes Domino Templates Get Slated for an Update. Here’s the Roadmap
Mon, Oct 3rd 2016 2:05a   Bill Malchisky Jr.
This is the first of two roadmap posts I authored for release this week. Beyond my post last month where I covered lightly that templates would be upgraded, Barry Rosen provided an updated roadmap with two slides covering just Notes Domino Templates. For simplicity, I copy-pasted the prose from the first slide to make it searchable, and appended the time table slide for the second. Nice to see some progress here too. Nice to see that they are filling in the hole created previously from multiple




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition