directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Custine (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRSERVER-2020) Poodle remediation for ApacheDS 2.X
Date Wed, 19 Nov 2014 20:44:34 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-2020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14218469#comment-14218469
] 

Chris Custine commented on DIRSERVER-2020:
------------------------------------------

There is probably zero risk of anyone exploiting ApacheDS or LDAP API using POODLE.  The downgrade
to SSLv3 is merely an enabler of the more complicated attack, which requires injecting and
running arbitrary code on the client side.  Furthermore, the only useful part of this exploit
is decrypting cookies and I am not aware of any cookie exchange as part of the ApacheDS or
LDAP API interactions.  It takes an average of 256 very specifically engineered requests by
the injected code, (ie javascript in a compromised browser) to decrypt a single byte of a
cookie.  This blog has a very good analysis of the exploit, and the first 4 or 5 paragraphs
detail the steps I mention above and should put everyone's minds at ease about this affecting
a closed, non-browser, non HTTP server system like ApacheDS and LDAP API.

> Poodle remediation for ApacheDS 2.X
> -----------------------------------
>
>                 Key: DIRSERVER-2020
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2020
>             Project: Directory ApacheDS
>          Issue Type: Task
>          Components: ldap
>    Affects Versions: 2.0.0-M10
>         Environment: Production
>            Reporter: RakeshAcharya
>            Priority: Critical
>              Labels: patch
>
> How do we disable SSlv3 protocol for apache DS 2.X ?
> As part of poodle remediation we need to disable SSL v3 ASAP in production boxes as the
scan showed its vulnerable.
> I cant find any configuration pertaining to the same which I could change .



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message