[
https://issues.apache.org/jira/browse/DIRSERVER-2020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14218469#comment-14218469
]
Chris Custine commented on DIRSERVER-2020:
------------------------------------------
There is probably zero risk of anyone exploiting ApacheDS or LDAP API using
POODLE. The downgrade to SSLv3 is merely an enabler of the more complicated
attack, which requires injecting and running arbitrary code on the client side.
Furthermore, the only useful part of this exploit is decrypting cookies and I
am not aware of any cookie exchange as part of the ApacheDS or LDAP API
interactions. It takes an average of 256 very specifically engineered requests
by the injected code, (ie javascript in a compromised browser) to decrypt a
single byte of a cookie. This blog has a very good analysis of the exploit,
and the first 4 or 5 paragraphs detail the steps I mention above and should put
everyone's minds at ease about this affecting a closed, non-browser, non HTTP
server system like ApacheDS and LDAP API.
> Poodle remediation for ApacheDS 2.X
> -----------------------------------
>
> Key: DIRSERVER-2020
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2020
> Project: Directory ApacheDS
> Issue Type: Task
> Components: ldap
> Affects Versions: 2.0.0-M10
> Environment: Production
> Reporter: RakeshAcharya
> Priority: Critical
> Labels: patch
>
> How do we disable SSlv3 protocol for apache DS 2.X ?
> As part of poodle remediation we need to disable SSL v3 ASAP in production
> boxes as the scan showed its vulnerable.
> I cant find any configuration pertaining to the same which I could change .
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
