You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by "Sean Busbey (JIRA)" <ji...@apache.org> on 2014/11/07 19:13:34 UTC
[jira] [Created] (ACCUMULO-3316) Update TLS usage to mitigate
POODLE
Sean Busbey created ACCUMULO-3316:
-------------------------------------
Summary: Update TLS usage to mitigate POODLE
Key: ACCUMULO-3316
URL: https://issues.apache.org/jira/browse/ACCUMULO-3316
Project: Accumulo
Issue Type: Task
Components: monitor, rpc
Affects Versions: 1.6.0, 1.5.0
Reporter: Sean Busbey
Priority: Blocker
Fix For: 1.5.3, 1.6.2, 1.7.0
Courtesy [~bhavanki]
{quote}
Recently, Google uncovered a vulnerability [1][2], now nicknamed "POODLE",
in the SSLv3 protocol. The vulnerability provides a mechanism for MITM
attackers to extract cleartext from SSLv3 traffic.
Accumulo currently allows the use of SSLv3 in these areas. Therefore,
Accumulo [deployments can be impacted].
1. The monitor uses Jetty to listen for https connections, and Jetty
supports SSLv3.
2. All of the daemons that listen for Thrift connections can do so over
SSLv3.
The simplest and most effective way to eliminate Accumulo's susceptibility
to this vulnerability is to prevent the use of SSLv3 across all Accumulo
server processes. In general, such changes should be straightforward,
essentially removing SSLv3 from the set of supported protocols and only
allowing clients to negotiate across the various newer TLS versions, which
are not susceptible to this vulnerability.
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
[2] https://www.us-cert.gov/ncas/alerts/TA14-290A
{quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)