[ACCUMULO-3316] Update TLS usage to mitigate POODLE - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1
Fix Version/s: 1.5.3, 1.6.2, 1.7.0
Component/s: monitor, rpc
Labels:
- encryption
- security
- tls

Description

Recently, Google uncovered a vulnerability [1][2], now nicknamed "POODLE",
in the SSLv3 protocol. The vulnerability provides a mechanism for MITM
attackers to extract cleartext from SSLv3 traffic.

Accumulo currently allows the use of SSLv3 in these areas. Therefore,
Accumulo [deployments can be impacted].

1. The monitor uses Jetty to listen for https connections, and Jetty
supports SSLv3.
2. All of the daemons that listen for Thrift connections can do so over
SSLv3.

The simplest and most effective way to eliminate Accumulo's susceptibility
to this vulnerability is to prevent the use of SSLv3 across all Accumulo
server processes. In general, such changes should be straightforward,
essentially removing SSLv3 from the set of supported protocols and only
allowing clients to negotiate across the various newer TLS versions, which
are not susceptible to this vulnerability.

[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
[2] https://www.us-cert.gov/ncas/alerts/TA14-290A

Attachments

Sub-Tasks

Change Jetty configuration to disallow SSLv3

Resolved

Josh Elser

100%

Alter Thrift RPC components to disallow SSLv3

Resolved

Josh Elser

100%

Activity

People

Assignee:: Josh Elser

Reporter:: Sean Busbey

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 07/Nov/14 18:13

Updated:: 08/Nov/14 00:21

Resolved:: 08/Nov/14 00:21

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 10m

Include sub-tasks