Updated: Security Advisory: Important SSL Vulnerability
Posted by Kevin Stange on 15 October 2014 02:12 PM |
|
Update 10/16 5:00 PM CDT: CentOS has released OpenSSL packages that provide limited protection for clients that connect using TLS. This does not fix the issue in SSL version 3.0 and we still recommend disabling it completely even if you update OpenSSL. The following message has been revised with the new information. A vulnerability has recently been disclosed, which affects all software that supports SSL version 3.0. This problem impacts all operating systems, including CentOS, Windows, and Debian. This issue is known as "POODLE" which stands for "Padding Oracle On Downgraded Legacy Encryption." It has been assigned ID CVE-2014-3566 in the Common Vulnerabilities and Exposures database. This vulnerability may allow a third party to decrypt information with a trivial amount effort if they are able to force an encrypted connection to downgrade from TLS to SSL and repeatedly try to send the same data over and over. The highest risk of this situation exists for users that connect to servers from public networks. It affects most client software, such as web browsers and email clients, and most server software, including web servers, mail servers, and control panels. The vulnerability is a flaw in the design of SSL version 3.0, which was the final version of SSL before it was superseded by the new TLS standard in 1999. The TLS standard is often referred to as "SSL" along with the SSL standard, however TLS is not directly impacted. There is no patch to solve the SSL problem, as it is a design flaw in the protocol. However, CentOS has released updated packages for OpenSSL that implement a security feature in TLS to prevent downgrading a connection to SSL unsafely. A connection that is established using SSL directly will still be vulnerable. Other operating systems have not yet received updates. If you wish to install the updated packages, run the following on a CentOS server: yum clean all You should then restart any other services that use OpenSSL, such as your web server and mail server. We still recommend completely disabling SSL version 3.0 in your applications and services, as it is the only way to fully eliminate the vulnerability. This process varies for each individual service and operating system and is beyond the reasonable scope of this announcement to explain. Google and Mozilla have also indicated plans to release software updates to web browsers in the near future to disable SSL version 3.0 completely and to implement new protections to prevent the technique of the exploit from working. Microsoft has not announced any specific plans for removing SSL version 3.0 from any software. All modern web browsers and other client software support TLS versions 1.0 or higher. The most recent revision of TLS is version 1.2. If you have any questions or need assistance with disabling SSL version 3.0 for any of your services, please contact us and we'll be happy to help. | |