SSLv3 bug on legacy CentOS 4.x systems

A 5 star hangout for overworked and underpaid system admins.
Post Reply
_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

SSLv3 bug on legacy CentOS 4.x systems

Post by _ck_ » 2014/10/14 13:06:20

Some kind of big SSL 3.0 bug coming out in next 24 hours, we will have to watch and see if centos4 is affected because we won't get an automatic update.

[edit/avij: I pre-emptively split this message to its own topic]

User avatar
avij
Retired Moderator
Posts: 3039
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: SSLv3 bug on legacy CentOS 4.x systems

Post by avij » 2014/10/14 21:55:13

From the jumping-the-gun dept.:

Details about this are still scarce, but assuming the problem is with the SSL protocol version 3, I would consider simply disabling SSLv3 support. In practical terms you'd be throwing out everyone who is still stuck with MSIE6. On the website that I manage, less than 0.2% of users are using MSIE6 (and no, it's not a "Linux users" website). Therefore I didn't feel particularly bad when I disabled SSLv3. Googling for yoursoftware "disable sslv3" will surely give you hints for making the config changes. The successor of SSLv3 is TLS. TLS v1.0 has been around since 1999. It's about time SSL gets buried, IMHO.

_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

Re: SSLv3 bug on legacy CentOS 4.x systems

Post by _ck_ » 2014/10/15 02:18:00

Right but it is important to get the word out. Some software has its own front facing webserver for admin panels, etc.

Here are the details, it is called the POODLE attack, CVE­-2014­-3566 

http://googleonlinesecurity.blogspot.co ... sl-30.html

(PDF) https://www.openssl.org/~bodo/ssl-poodle.pdf

I guess unlike bash, centos4 is not really a worrisome target.

User avatar
avij
Retired Moderator
Posts: 3039
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: SSLv3 bug on legacy CentOS 4.x systems

Post by avij » 2014/10/15 09:42:07


_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

Re: SSLv3 bug on legacy CentOS 4.x systems

Post by _ck_ » 2014/10/15 15:57:41

Looks like there was another security issue beyond SSLv3 that that does indeed affect the openssl 0.9 in centos4

Otherwise an attacker could exhaust memory and create a dos

https://www.openssl.org/news/secadv_20141015.txt

Session Ticket Memory Leak (CVE-2014-3567)
==========================================
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service attack.

OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

User avatar
avij
Retired Moderator
Posts: 3039
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: SSLv3 bug on legacy CentOS 4.x systems

Post by avij » 2014/10/15 19:12:20

_ck_ wrote:Looks like there was another security issue beyond SSLv3 that that does indeed affect the openssl 0.9 in centos4
Red Hat's bugzilla entry for this CVE says CentOS 5 is not affected, because "openssl-0.9.8e does not include support for session tickets". I would think C4's OpenSSL doesn't support them either.

Post Reply

Return to “CentOS Social”