[jira] [Commented] (DIRSERVER-2020) Poodle remediation for ApacheDS 2.X

Mon, 17 Nov 2014 11:59:59 -0800 

    [ 
https://issues.apache.org/jira/browse/DIRSERVER-2020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14215082#comment-14215082
 ] 

RakeshAcharya commented on DIRSERVER-2020:
------------------------------------------

We have a tool which scans the servers for the latest Vulnerabilities. So in 
the server where we have apacheDS only running we got an SSLv3(poodle 
vulnerability) on the port which is used by apacheds on SSL. 

It doesn't say at the code level but clearly states my LDAPS port is 
vulnerable. Below is the details it give me in the scan report although its 
generic.

THREAT:
The SSL protocol 3.0 design error, uses nondeterministic CBC padding, which 
makes it easier for man-in-the-middle attacks.
The target supports SSLv3, which makes it vulnerable to POODLE (Padding Oracle 
On Downgraded Legacy Encryption), even if it also supports more recent versions 
of TLS. It's subject to a downgrade attack, in which the attacker tricks the 
browser into connecting with SSLv3.

IMPACT:
An attacker who can take a man-in-the-middle (MitM) position can exploit this 
vulnerability and gain access to encrypted communication between a client and 
server.

When I ran the openssl check it does say SSlv3 as the one being used and 
available,If server is using TLS then it shouldn't return this, 
I know we use TLS and there is no option for choosing anything else , is there 
any way to enforce SSLv3 to be disabled at all?

Am using apache DS 2.0.0.M-10 and java 6 latest update.



> Poodle remediation for ApacheDS 2.X
> -----------------------------------
>
>                 Key: DIRSERVER-2020
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2020
>             Project: Directory ApacheDS
>          Issue Type: Task
>          Components: ldap
>    Affects Versions: 2.0.0-M10
>         Environment: Production
>            Reporter: RakeshAcharya
>            Priority: Critical
>              Labels: patch
>
> How do we disable SSlv3 protocol for apache DS 2.X ?
> As part of poodle remediation we need to disable SSL v3 ASAP in production 
> boxes as the scan showed its vulnerable.
> I cant find any configuration pertaining to the same which I could change .



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to