-
Title
POODLE exploit SSL vulnerability -
Description
What is Foglight's solution to the POODLE (Padding Oracle on Downgraded Legacy) exploit SSL vulnerability?
-
Cause
The POODLE exploit targets legacy SSL sessions to hijack browser sessions
-
Resolution
WORKAROUND
Foglight includes the Tomcat Servlet container which suffers from the POODLE SSL vulnerability CVE-2014-3566.
To fix this vulnerability in existing 5.6.x installations, change the Tomcat 6 configuration:
1. Open the following files for editing:
- FMSHOME/server/default/deploy/jboss-web.deployer/server_full.xml
- FMSHOME/server/default/deploy/jboss-web.deployer/server_https.xml
2. Remove the sslProtocol attribute and add the sslProtocols as follows, while leaving the other elements and attributes as is:
<Connector ... sslProtocols="SSLv2, TLSv1, TLSv1.1, TLSv1.2" ... />3. Restart Foglight
When installing a NEW Foglight 5.7.* instance, the POODLE vulnerability is automatically fixed.
When upgrading to Foglight 5.7.* the included Tomcat 7 is NOT automatically fixed as otherwise older Agent Manager instances configured with SSL will not be able to re-connect to the server.
To fix this vulnerability after upgrading an existing installation to 5.7.x:
1. Open the FMSHOME/server/tomcat/server.xml file for editing.2. Make sure the https Connector element contains an attribute sslEnabledProtocols as follows, while leaving the other elements and attributes as is:
<Connector ... sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ... />
3. Restart FoglightNote: Foglight is not affected by the related Poodle CVE-2014-8730 vulnerability.
STATUS
This vulnerability was logged as defect id FGL-17325 and is fixed in new Foglight 5.7.0, 5.7.1, and later installs.
-
Additional Information
For more information about the POODLE exploit, please read the following documentation on Openssl.org https://www.openssl.org/~bodo/ssl-poodle.pdf