Abiquo and POODLE Vulnerability

Dear customers,
 
You have probably noticed that a new vulnerability has hit OpenSSL. The new attack, called POODLE, is not as serious as Shellshock or Heartbleed.
 
However, it's still better to take action to avoid problems. The only thing you have to do is disable SSLv3 support. To do this, you can follow this guide:
 
https://cipherli.st/
 
Here is a summary of the information provided by the above website.
 
NGINX
 
change:
 
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 
to:
 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
 
Apache
 
SSLProtocol ALL -SSLv2 -SSLv3
 
For more information about this new vulnerability:
 
* Search for "CVE-2014-3566"
https://www.openssl.org/~bodo/ssl-poodle.pdf

 

Testing if you are vulnerable
 
Save this script as poodle.sh:
 
echo | timeout 3 openssl s_client -connect $1:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: $1 timeout or connection error"; else echo | openssl s_client -connect $1:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure" && echo "OK: $1 Not vulnerable" || echo "FAIL:  $1 vulnerable; sslv3 connection accepted"; fi
 
Run it against your server.
 
user@Server ~ $ bash poodle.sh anycloud.abiquo.com
OK: anycloud.abiquo.com Not vulnerable

0 Comments

Please sign in to leave a comment.