Alpha DevCon 2018
Results 1 to 2 of 2

Thread: New OpenSSL and SSLv3 Vulnerabilities

  1. #1
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,639

    Default New OpenSSL and SSLv3 Vulnerabilities

    There are two new SSL-related issues to be aware of. The first is a vulnerability specific to OpenSSL 0.9.8, 1.0.0 and 1.0.1. The second is an inherent flaw in version 3 of the SSL protocol itself and is not specific to any vendor's implementation.

    OpenSSL Vulnerability
    The OpenSSL Project issued a security advisory today (October 15, 2014) regarding 4 vulnerabilities. The complete advisory can be viewed on their site at https://www.openssl.org/news/secadv_20141015.txt

    The first two vulnerabilities are memory leaks that can result in a denial of service attack. The second two vulnerabilities listed are actually related to the general SSL version 3 flaw below.

    SSL version 3 Vulnerability - POODLE
    A new flaw in version 3 of SSL has been recently been discovered and nicknamed POODLE. In summary, this is a man-in-the-middle attack that allows the attacker to steal encrypted information. It relies on an older version of SSL from 1996 that is still supported by most modern servers and clients for backwards compatibility.

    Remediation
    Alpha Software is building and testing updated OpenSSL DLLs. We expect to make DLLs 0.9.8zc and 1.0.1j available shortly. These DLLs will include the fixes for the latest OpenSSL security advisory.

    Additionally, Alpha Software's current default Application Server SSL Cipher List already disables SSL v3 so customers using the current default configuration are already protected against POODLE. We recommend anyone running a server with a different cipher list either consider using the list below, or at least add :-SSLv3 to your current list in order to disable SSLv3 support.

    The current default SSL Cipher List is below. It is specified on the SSL tab of the Application Server Settings dialog. This cipher list is from https://wiki.mozilla.org/Security/Server_Side_TLS

    Code:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
    Further Information
    The OpenSSL Project - https://www.openssl.org/

    OpenSSL Security Advisory [15 Oct 2014] - https://www.openssl.org/news/secadv_20141015.txt

    This POODLE Bites: Exploiting The SSL 3.0 Fallback - https://www.openssl.org/~bodo/ssl-poodle.pdf

    Google’s POODLE affects oodles - http://news.netcraft.com/archives/20...ts-oodles.html

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  2. #2
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,639

    Default Re: New OpenSSL and SSLv3 Vulnerabilities

    Updated OpenSSL DLLs are now available for download. You may download these updated DLLs using the links below. To update the DLLs, exit all copies of Alpha (development environment as well as server), overwrite the DLLs in your program folder with the downloaded files, and restart Alpha.

    OpenSSL 1.0.1j, for V11 and V12/Alpha Anywhere users

    OpenSSL 0.9.8zc, for V10 and prior users. V10 and prior users should also review OpenSSL 0.9.8 End Of Life Announced

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

Similar Threads

  1. Urgent - Need to update OpenSSL without latest patch
    By Tbrondolo in forum Mobile & Browser Applications
    Replies: 2
    Last Post: 04-10-2014, 06:23 PM
  2. OpenSSL Heartbleed (Heartbeat) Vulnerability
    By Lenny Forziati in forum Announcements
    Replies: 0
    Last Post: 04-09-2014, 11:31 AM
  3. SSL problem:"Error reading private key file. OpenSSL Desc error:0906D06C:PEM routines
    By fsi in forum Application Server Version 11 - Web/Browser Applications
    Replies: 0
    Last Post: 05-14-2013, 07:47 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •