|Latest 7 Posts
| IBM Domino and Docker Support Announced|
Wed, Aug 16th 2017 5
| Attention IBM Customers and BPs, Be Heard! New IBM Notes/Domino Application Survey |
Tue, Aug 15th 2017 1
| IBM Think 2018 Session Abstract Submission Date Announced|
Mon, Aug 14th 2017 4
| MWLUG - Linuxfest DC Guest Speaker Announced|
Wed, Aug 2nd 2017 2
| "As We Age, Don’t Give Up. Keep Doing." And More Wisdom from George Jedenoff’s "The Powder Philosophy"|
Sat, Jul 1st 2017 4
| Do You Have An Opinion on the Domino Application Platform Direction? Read This.|
Thu, May 18th 2017 1
| The ICS on Linux Round Table Session Notes|
Mon, May 15th 2017 5
| How To Receive Ubuntu 12.04 Kernel Updates After 7 August 2014|
Wed, Jul 16th 2014 10
| Linux Bash Bug - Shellshock - is Real: Get Patched (Mac Too)|
Thu, Sep 25th 2014 10
| IBM Verse On-premises Architecture and Insight|
Wed, Aug 3rd 2016 9
| Firefox Upgrade Kills iNotes, ICS SSL Product Access with Domino CA/Self-Signed Certs|
Sun, Aug 3rd 2014 8
| Skype 4.3 on Linux Crashing? Here’s a Fix.|
Tue, Aug 5th 2014 8
| A Conversation with Barry Rosen, at IBM: Part I|
Tue, Sep 20th 2016 8
| Awesome Linux Reference Sheets for Developers (and Administrators)|
Tue, Sep 27th 2016 8
| Notes Domino Templates Get Slated for an Update. Here’s the Roadmap|
Mon, Oct 3rd 2016 8
| IBM’s Lost Art of Installation is Costing Them Revenue|
Mon, Aug 25th 2014 7
| New SSL3 Exploit: The POODLE Is Here and Lifting Its Leg|
Wed, Oct 15th 2014 7
||New SSL3 Exploit: The POODLE Is Here and Lifting Its Leg
Here we go again... another blockbuster security exploit with another clever code name is announced. POODLE (Padding Oracle On Downgraded Legacy Encryption) CVE-2014-3566 specifically allows a man-in-the-middle style attack utilizing an SSL3 connection. Once again, Red Hat does a stellar job offering full details on background, technical specifics, and testing. Google's Online Security Blog post is exceedingly terse when contrasting. Here is what you need to know.
What is It?
CVE-2014-3566 allows one to decrypt ciphertext using a padding oracle side-channel attack.
It is categorized as a High priority and High Severity, which is the third highest of the former and second highest on the latter. So, although this is a nasty exploit, the damage to your systems could be worse. In the short-run, take care of it.
Red Hat is making this a top priority and has a KB article (#1232123) on the subject. Excerpts are below. Also, Google's security blog has a couple of paragraphs on this exploit and an eye towards a patch for their products.
Testing for the Vulnerability
Run this command on your server or remotely if easier to see if your server is vulnerable. This does not text specific applications on said server that may be configured to use SSLv3
malchw@san-domino:~$ openssl s_client -connect localhost:443 -ssl3
malchw@san-domino:~$ openssl s_client -connect [hostname.foo.com]:443 -ssl3
Note: Change the port number and hostname to suite your specific test case.
If you see something similar to this, you are vulnerable
Results - New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Protocol : SSLv3
Else, you are fine, if this excerpt is close to your output:
140128201074504:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140128201074504:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
I suspect most servers with SSL will have SSL3 enabled, making the situation more wide-spread than some people may realize. This is operating system agnostic, so Microsoft, IBM, Red Hat, Oracle, VCE, et alia will all have upcoming product lists with affected products and tools, needing attention.
Fixing The Exploit
At this time a proper fix is unavailable. As of midnight EDT on Wednesday, Red Hat has not released a fix yet, but is working on it. Other companies will need to do the same, as well as browser ISVs to ensure compatibility. In the mean time, the suggested work-arounds are as follows:
1. Disable SSLv3 on your servers
2. Even if impractical to do disable SSLv3, consider using TLSv1.1 and TLSv1.2 with the TLS_FALLBACK_SCSV parameter on your TLS servers enabled (Internet white paper draft available). This process may cause a few issues with some IBM products (to be fair, most vendors products will have issues even temporarily).
Red Hat's in-scope products (at this time) are here:
1. Each affected component's hotspot offers a product specific technote on how to address the fix for the specific product and more focused testing too;
2. The table is current at the time of this writing and may expand as a fix is released by Red Hat and other products identified
Google provided a white paper entitled, This POODLE Bites: Exploiting the SSL 3.0 Fallback, which provides greater detail on the TLS suggested settings and the exploit itself. Google is suggesting the use of TLS_FALLBACK_SCSV too.
More later when a fix is released. Good luck.
Oct 15, 2014
| Recent Blog Posts
IBM Domino and Docker Support Announced|
Wed, Aug 16th 2017 2:00a Bill Malchisky Jr.
During Barry Rosen's Future directions on Notes/Domino session and again during our Linuxfest DC session last week at MWLUG, IBM announced that they will support Domino on Docker with Domino 9.0.1 FP10. Originally, this support would be announced in 2018, but due to the success of the IBM Application Insights Survey announced at Engage, IBM changed their task priorities and accelerated Docker support based upon your input. FP10 is scheduled to be released by EOY 2017. The next question is,
Attention IBM Customers and BPs, Be Heard! New IBM Notes/Domino Application Survey |
Tue, Aug 15th 2017 2:00a Bill Malchisky Jr.
After the success of the first IBM survey announced at our IBM Engage session in May (see link to post)---which helped to re-prioritize new capabilities like Docker---Barry Rosen announced a new survey at MWLUG. I completed it and am pleased with this survey's focus on APIs, app modernization, along with creating a new feeling that IBM is serious about Domino as an application development platform. The first survey results really had an impact and moved up significantly Docker support (more
IBM Think 2018 Session Abstract Submission Date Announced|
Mon, Aug 14th 2017 2:00a Bill Malchisky Jr.
IBM announced that commencing on 21 Aug 2017, you can submit abstracts for IBM Think 2018. As of this writing, there does not appear to be information on session tracks, other than a pop-up informing prospective presenters to be creative. As I've watched the conference site frequently over the past few weeks, no additional information being available on tracks, implies to me we will learn this on Monday, 21 Aug. Thus, if you are considering submitting a session, you can start thinking about wha
MWLUG - Linuxfest DC Guest Speaker Announced|
Wed, Aug 2nd 2017 9:31a Bill Malchisky Jr.
On Thursday, 10 Aug 2017, I will be presenting Linuxfest DC at this year's MWLUG located in DC. In order to provide an informative experience for attendees, I sought a special guest speaker to join me. Today, I am pleased to announce Barry Rosen will be co-presenting with me for an extended special breakfast session. We will be covering IBM's current Linux strategy, plus provide technical information to ensure that all session attendees gain knowledge they can use immediately upon returning fr
"As We Age, Don’t Give Up. Keep Doing." And More Wisdom from George Jedenoff’s "The Powder Philosophy"|
Sat, Jul 1st 2017 3:40a Bill Malchisky Jr.
Well, I inadvertently held this post, so let's publish it now. In early 2016---in his then 56th consecutive year of skiing at Alta and Snowbird in Utah---Mr. George Jedenoff at the age of 98 took a few minutes to discuss his Powder Philosophy. A positive uplifting message that will leave you with a smile. Worth a few minutes to view and learn a bit from his years of wisdom. He still rips groomers and fresh powder, while also enjoying tree skiing--again at 98 years old. Stay healthy, believe
Do You Have An Opinion on the Domino Application Platform Direction? Read This.|
Thu, May 18th 2017 6:15a Bill Malchisky Jr.
As Barry Rosen mentioned during our Engage session last week, ICS Offering Management is seeking feedback around the Domino application platform. This opportunity is significant enough that I felt it appropriate to author a separate post. Currently, IBM is looking for feedback in the areas of APIs, XPages, Domino on Bluemix, Docker, and well, anything else you want to add in the development space. I took the survey and found it to be straight forward with plenty of opportunity to provide you
The ICS on Linux Round Table Session Notes|
Mon, May 15th 2017 6:00a Bill Malchisky Jr.
Great session last Monday. We filled the table with overflow and discussed many good topics raised by the attendees. Below are the notes and some of the URLs cited during the event. Please feel free to comment and keep the discussion going. IBM Notes FP7 is the last update for the Linux client;, no further feature packs will be offered for the Linux client Support will be best effort from here and will continued to be support up to 9.0.1 FP7 on thee then current set of operating systems.
"Why the Largest Companies in the World Count on Linux Servers"|
Tue, May 9th 2017 3:00a Bill Malchisky Jr.
I read this morning a great piece in Linux Journal by Petros Koutoupis. The author's name being new to me, I read the article with an open mind. What I found is this introductory level article offered a decent dissection of this important topic. As I've covered over the years in my Lotus on Linux Report presentation series, more companies outside of Microsoft use Linux for their edge servers than any other operating system. That data point continues to this day. Additionally, despite recent de
Join Barry Rose, Daniel Nash, and Myself for the ICS on Linux Round Table on Monday at Engage!|
Sun, May 7th 2017 4:30p Bill Malchisky Jr.
This year at Engage in Antwerp, Belgium, I am speaking with Barry Rosen of IBM and Daniel Nash. We are covering all things ICS related on Linux. Happy to have the opportunity to present with both Barry and Daniel on such a topic. A lot has changed in the past six months with IBM's support for Linux. This is the session to learn about those changes and provide input directly to IBM. Looking forward to a great discussion and learning experience. See you on Monday! Date: Monday, May 8 Time: 11
Join Serdar Basegmez and Myself on Tuesday’s TLCC XPages Webinar Series|
Mon, May 1st 2017 4:43p Bill Malchisky Jr.
On Tuesday, May 2, Back from the Dead goes live via the TLCC's XPages Webinar Series, sponsored by Teamstudio! Time: 10:30 AM EDT / 9:30 AM CDT / 7:30 AM PDT / 3:30 PM BST / 4:30 PM CEDT Register Here! It's free! Back from the Dead: When Bad Code Kills a Good Server It's Friday and a new customer calls. Their mission critical app is taking :05 to open documents and the users are quite concerned. Where do you start when handed a 20 year old application you have never seen, on a serv