There are two new SSL-related issues to be aware of. The first is a vulnerability specific to OpenSSL 0.9.8, 1.0.0 and 1.0.1. The second is an inherent flaw in version 3 of the SSL protocol itself and is not specific to any vendor's implementation.
OpenSSL Vulnerability
The OpenSSL Project issued a security advisory today (October 15, 2014) regarding 4 vulnerabilities. The complete advisory can be viewed on their site at https://www.openssl.org/news/secadv_20141015.txt
The first two vulnerabilities are memory leaks that can result in a denial of service attack. The second two vulnerabilities listed are actually related to the general SSL version 3 flaw below.
SSL version 3 Vulnerability - POODLE
A new flaw in version 3 of SSL has been recently been discovered and nicknamed POODLE. In summary, this is a man-in-the-middle attack that allows the attacker to steal encrypted information. It relies on an older version of SSL from 1996 that is still supported by most modern servers and clients for backwards compatibility.
Remediation
Alpha Software is building and testing updated OpenSSL DLLs. We expect to make DLLs 0.9.8zc and 1.0.1j available shortly. These DLLs will include the fixes for the latest OpenSSL security advisory.
Additionally, Alpha Software's current default Application Server SSL Cipher List already disables SSL v3 so customers using the current default configuration are already protected against POODLE. We recommend anyone running a server with a different cipher list either consider using the list below, or at least add :-SSLv3 to your current list in order to disable SSLv3 support.
The current default SSL Cipher List is below. It is specified on the SSL tab of the Application Server Settings dialog. This cipher list is from https://wiki.mozilla.org/Security/Server_Side_TLS
Further Information
The OpenSSL Project - https://www.openssl.org/
OpenSSL Security Advisory [15 Oct 2014] - https://www.openssl.org/news/secadv_20141015.txt
This POODLE Bites: Exploiting The SSL 3.0 Fallback - https://www.openssl.org/~bodo/ssl-poodle.pdf
Google�s POODLE affects oodles - http://news.netcraft.com/archives/20...ts-oodles.html
OpenSSL Vulnerability
The OpenSSL Project issued a security advisory today (October 15, 2014) regarding 4 vulnerabilities. The complete advisory can be viewed on their site at https://www.openssl.org/news/secadv_20141015.txt
The first two vulnerabilities are memory leaks that can result in a denial of service attack. The second two vulnerabilities listed are actually related to the general SSL version 3 flaw below.
SSL version 3 Vulnerability - POODLE
A new flaw in version 3 of SSL has been recently been discovered and nicknamed POODLE. In summary, this is a man-in-the-middle attack that allows the attacker to steal encrypted information. It relies on an older version of SSL from 1996 that is still supported by most modern servers and clients for backwards compatibility.
Remediation
Alpha Software is building and testing updated OpenSSL DLLs. We expect to make DLLs 0.9.8zc and 1.0.1j available shortly. These DLLs will include the fixes for the latest OpenSSL security advisory.
Additionally, Alpha Software's current default Application Server SSL Cipher List already disables SSL v3 so customers using the current default configuration are already protected against POODLE. We recommend anyone running a server with a different cipher list either consider using the list below, or at least add :-SSLv3 to your current list in order to disable SSLv3 support.
The current default SSL Cipher List is below. It is specified on the SSL tab of the Application Server Settings dialog. This cipher list is from https://wiki.mozilla.org/Security/Server_Side_TLS
Code:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
The OpenSSL Project - https://www.openssl.org/
OpenSSL Security Advisory [15 Oct 2014] - https://www.openssl.org/news/secadv_20141015.txt
This POODLE Bites: Exploiting The SSL 3.0 Fallback - https://www.openssl.org/~bodo/ssl-poodle.pdf
Google�s POODLE affects oodles - http://news.netcraft.com/archives/20...ts-oodles.html
Comment