Bug 1153319
Summary: | [2.1 backport] Disable SSLv3 to mitigate POODLE CVE- 2014- 3566 | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Luke Meyer <lmeyer> |
Component: | Security | Assignee: | Luke Meyer <lmeyer> |
Status: | CLOSED ERRATA | QA Contact: | Xiaoli Tian <xtian> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 2.1.0 | CC: | adellape, jialiu, jokerman, lmeyer, mmccomas, pruan, xtian |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openshift-origin-broker-1.16.1.14-1.el6op rubygem-openshift-origin-frontend-apache-vhost-0.5.2.5-1.el6op rubygem-openshift-origin-frontend-apache-mod-rewrite-0.5.2.2-1.el6op | Doc Type: | Bug Fix |
Doc Text: |
OpenShift Enterprise brokers as well as nodes using the apache-mod-rewrite or apache-vhost front end plug-ins previously had SSLv3 enabled, making them susceptible to POODLE-style attacks. This bug fix backports an OpenShift Enterprise 2.2 fix to update these components to remove SSLv3 support, and as a result new installations are no longer susceptible to these issues.
|
Story Points: | --- |
Clone Of: | 1153313 | Environment: | |
Last Closed: | 2014-11-25 18:19:49 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1153313 | ||
Bug Blocks: |
Description
Luke Meyer
2014-10-15 18:44:23 UTC
Verified this bug with 2.1.z/2014-11-05.1 against both vhost and rewrite frontend, and PASS. 1. Create an app successfully. 2. Check sslv3 is disabled on broker and node, and make sure app's url are still available. Command: ( sleep 0.2; echo Q ) | timeout 5 openssl s_client -connect '10.66.79.120:443' -no_tls1 -no_tls1_1 -no_tls1_2 2>&1 | grep 'no peer certificate available' no peer certificate available Command: (sleep 0.2; echo Q ) | timeout 5 openssl s_client -connect '10.66.79.120:443' 2>&1 | tail -1 | grep 'DONE' DONE Command: ( sleep 0.2; echo Q ) | timeout 5 openssl s_client -connect 'poodleapp-jialiu.ose21z-manual.com.cn:443' -no_tls1 -no_tls1_1 -no_tls1_2 2>&1 | grep 'no peer certificate available' no peer certificate available Command: (sleep 0.2; echo Q ) | timeout 5 openssl s_client -connect 'poodleapp-jialiu.ose21z-manual.com.cn:443' 2>&1 | tail -1 | grep 'DONE' DONE Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2014-1906.html |