ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "t oo (JIRA)" <j...@apache.org>
Subject [jira] [Created] (RANGER-2131) Ranger UserSync port (ie 5151) supports TLSv1.0
Date Sun, 10 Jun 2018 23:43:00 GMT
t oo created RANGER-2131:
----------------------------

             Summary: Ranger UserSync port (ie 5151) supports TLSv1.0
                 Key: RANGER-2131
                 URL: https://issues.apache.org/jira/browse/RANGER-2131
             Project: Ranger
          Issue Type: Bug
          Components: usersync
    Affects Versions: 1.0.0
            Reporter: t oo
             Fix For: 1.1.0


THREAT:
TLS is capable of using a multitude of ciphers (algorithms) to create the public and private
key pairs.
For example if TLSv1.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.
RC4 is known to have biases and the block cipher in CBC mode is vulnerable to the POODLE attack.
TLSv1.0, if configured to use the same cipher suites as SSLv3, includes a means by which a
TLS implementation can downgrade the connection to
SSL v3.0, thus weakening security.
A POODLE-type ([https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls]) attack could
also be launched directly at TLS without negotiating a
downgrade.
This QID will be marked as a Fail for PCI as of May 1st, 2017 in accordance with the new standards.
For existing implementations, Merchants will
be able to submit a PCI False Positive / Exception Request and provide proof of their Risk
Mitigation and Migration Plan, which will result in a pass
for PCI up until June 30th, 2018.
Further details can be found at: NEW PCI DSS v3.2 and Migrating from SSL and Early TLS v1.1
([https://community.qualys.com/message/34120])
IMPACT:
An attacker can exploit cryptographic flaws to conduct man-in-the-middle type attacks or to
decryption communications.
For example: An attacker could force a downgrade from the TLS protocol to the older SSLv3.0
protocol and exploit the POODLE vulnerability, read
secure communications or maliciously modify messages.
A POODLE-type ([https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls]) attack could
also be launched directly at TLS without negotiating a
downgrade.
SOLUTION:
Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such
as TLSv1.2.
The following openssl commands can be used
to do a manual test:
openssl s_client -connect ip:port -tls1
If the test is successful, then the target support TLSv1

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message