You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2014/11/08 01:22:36 UTC
[jira] [Resolved] (ACCUMULO-3316) Update TLS usage to mitigate
POODLE
[ https://issues.apache.org/jira/browse/ACCUMULO-3316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Josh Elser resolved ACCUMULO-3316.
----------------------------------
Resolution: Fixed
Assignee: Josh Elser
> Update TLS usage to mitigate POODLE
> -----------------------------------
>
> Key: ACCUMULO-3316
> URL: https://issues.apache.org/jira/browse/ACCUMULO-3316
> Project: Accumulo
> Issue Type: Task
> Components: monitor, rpc
> Affects Versions: 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1
> Reporter: Sean Busbey
> Assignee: Josh Elser
> Priority: Blocker
> Labels: encryption, security, tls
> Fix For: 1.5.3, 1.6.2, 1.7.0
>
>
> Courtesy [~bhavanki]
> {quote}
> Recently, Google uncovered a vulnerability [1][2], now nicknamed "POODLE",
> in the SSLv3 protocol. The vulnerability provides a mechanism for MITM
> attackers to extract cleartext from SSLv3 traffic.
> Accumulo currently allows the use of SSLv3 in these areas. Therefore,
> Accumulo [deployments can be impacted].
> 1. The monitor uses Jetty to listen for https connections, and Jetty
> supports SSLv3.
> 2. All of the daemons that listen for Thrift connections can do so over
> SSLv3.
> The simplest and most effective way to eliminate Accumulo's susceptibility
> to this vulnerability is to prevent the use of SSLv3 across all Accumulo
> server processes. In general, such changes should be straightforward,
> essentially removing SSLv3 from the set of supported protocols and only
> allowing clients to negotiate across the various newer TLS versions, which
> are not susceptible to this vulnerability.
> [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
> [2] https://www.us-cert.gov/ncas/alerts/TA14-290A
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)