So here we go again... Another vulnerability has been found in OpenSSL. However, this is very hard to exploit and requires the hacker to have control of your wireless hotspot or network. If that's the case, then you're in trouble anyway!
Update - 16th December 2014
- The Hot Fix file listed below is now included in our current release which is v7.6.3 and we advise customers to upgrade their appliances to this version.
I'm sure that some of you have heard about Poodle v2 which is an attack against TLS1.2 in some software implementations - Loadbalancer.org would like to inform our customers that our units ARE NOT affected by this latest vulnerability as we are using the OpenSSL package.
Details of this updated vulnerability can be found at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730 or https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls and the Qualys SSL Labs test has been updated to check for this issue.
Qualys have again been quick to update the Qualys SSL Labs Test tool that they provide which is free to use. This will test your SSL Certificate and all the currently usable Ciphers for your site.
Anyhow, what is the Poodle? It's not one of those white dogs with a ping pong ball on the end of it's feet and tail. The extract of the CVE is this:
The attack, specifically against the SSLv3 protocol, allows an attacker to obtain the plaintext of certain parts of an SSL connection, such as the cookie. Similar to BEAST, but more practical to carry out, POODLE could well signal the end of SSLv3 support.
I would recommend reading this posting from Qualys SSL 3 is dead, killed by the POODLE attack
Update - 21st October 2014
We have now finished testing our new hotfix. We believe that this in conjunction with the following Cipher List will give the best possible security for both Pound and STunnel SSL virtual services:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4:HIGH:!MD5:!aNULL:!EDH
The patch file and MD5 file can be found here:
- http://downloads.loadbalancer.org/releases/hotfix/v7/v7.6.2/loadbalancer.org-patch-7.6.2_pound_v3_disable.tar.gz.md5
- http://downloads.loadbalancer.org/releases/hotfix/v7/v7.6.2/loadbalancer.org-patch-7.6.2_pound_v3_disable.tar.gz
This patch includes various updates relating to Pound, STunnel and Apache and can be applied to your Loadbalancer.org appliance using the Off-line Update option (Maintenance > Software Update > Offline Update)
Once applied, modify your Pound/STunnel VIP and copy/paste the above Cipher list into the Ciphers to Use field and also enable (check) the **Disable SSLv3 Ciphers ** checkbox, then click Update.
Apache should be restarted using the following command at the console or via an SSH session:
service httpd restart
Pound/STunnel should be restarted as prompted.
IMPORTANT: Please note that this patch will only work on v7.6.2 so if you're running an older version you'll first need to upgrade to v7.6.2. Also, as always we would advise that you should update your units in a scheduled maintenance window as both pound and STunnel will be affected.