accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (ACCUMULO-3316) Update TLS usage to mitigate POODLE
Date Sat, 08 Nov 2014 00:22:36 GMT

     [ https://issues.apache.org/jira/browse/ACCUMULO-3316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Josh Elser resolved ACCUMULO-3316.
----------------------------------
    Resolution: Fixed
      Assignee: Josh Elser

> Update TLS usage to mitigate POODLE
> -----------------------------------
>
>                 Key: ACCUMULO-3316
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3316
>             Project: Accumulo
>          Issue Type: Task
>          Components: monitor, rpc
>    Affects Versions: 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1
>            Reporter: Sean Busbey
>            Assignee: Josh Elser
>            Priority: Blocker
>              Labels: encryption, security, tls
>             Fix For: 1.5.3, 1.6.2, 1.7.0
>
>
> Courtesy [~bhavanki]
> {quote}
> Recently, Google uncovered a vulnerability [1][2], now nicknamed "POODLE",
> in the SSLv3 protocol. The vulnerability provides a mechanism for MITM
> attackers to extract cleartext from SSLv3 traffic.
> Accumulo currently allows the use of SSLv3 in these areas. Therefore,
> Accumulo [deployments can be impacted].
> 1. The monitor uses Jetty to listen for https connections, and Jetty
> supports SSLv3.
> 2. All of the daemons that listen for Thrift connections can do so over
> SSLv3.
> The simplest and most effective way to eliminate Accumulo's susceptibility
> to this vulnerability is to prevent the use of SSLv3 across all Accumulo
> server processes. In general, such changes should be straightforward,
> essentially removing SSLv3 from the set of supported protocols and only
> allowing clients to negotiate across the various newer TLS versions, which
> are not susceptible to this vulnerability.
> [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
> [2] https://www.us-cert.gov/ncas/alerts/TA14-290A
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message