Friday, October 17, 2014

Protecting Servers from SSLv3 "POODLE" Vulnerability

The Secure Sockets Layer version 3.0 is an old version of security technology for establishing an encrypted link between a server and a client.

A vulnerability, known as POODLE ("Padding Oracle On Downgraded Legacy Encryption"), was reported in this SSLv3. An attacker can exploit this vulnerability to obtain users’ cookies and compromise users’ accounts.

This vulnerability has been assigned a CVE number: CVE-2014-3566. For more information, do take a look at Security Vulnerability Alert: POODLE SSLv3.0 vulnerability

Web system owners are also advised to disable SSLv3 and enable TLS_FALLBACK_SCSV to maintain interoperability.


Do take a look at How To Protect your Server Against the POODLE SSLv3 Vulnerability on how to protect your servers from SSLv3 "POODLE" Vulnerability


Step 1. I would like to highlight the CentOS / Red Hat variety in
# vim /etc/httpd/conf.d/ssl.conf

Step 2. Find the SSLProtocol Directives,
SSLProtocol all -SSLv3 -SSLv2

Step 3. Restart the httpd services
# service httpd restart

References
  1.  How To Protect your Server Against the POODLE SSLv3 Vulnerability
  2. Apache - SSLProtocol Directive

No comments: