Details
Description
Courtesy bhavanki
Recently, Google uncovered a vulnerability [1][2], now nicknamed "POODLE",
in the SSLv3 protocol. The vulnerability provides a mechanism for MITM
attackers to extract cleartext from SSLv3 traffic.Accumulo currently allows the use of SSLv3 in these areas. Therefore,
Accumulo [deployments can be impacted].1. The monitor uses Jetty to listen for https connections, and Jetty
supports SSLv3.
2. All of the daemons that listen for Thrift connections can do so over
SSLv3.The simplest and most effective way to eliminate Accumulo's susceptibility
to this vulnerability is to prevent the use of SSLv3 across all Accumulo
server processes. In general, such changes should be straightforward,
essentially removing SSLv3 from the set of supported protocols and only
allowing clients to negotiate across the various newer TLS versions, which
are not susceptible to this vulnerability.[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
[2] https://www.us-cert.gov/ncas/alerts/TA14-290A
Attachments
1.
|
Change Jetty configuration to disallow SSLv3 | Resolved | Josh Elser |
|
||||||||
2.
|
Alter Thrift RPC components to disallow SSLv3 | Resolved | Josh Elser |
|