You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@accumulo.apache.org by "Sean Busbey (JIRA)" <ji...@apache.org> on 2014/11/07 19:13:34 UTC

[jira] [Created] (ACCUMULO-3316) Update TLS usage to mitigate POODLE

Sean Busbey created ACCUMULO-3316:
-------------------------------------

             Summary: Update TLS usage to mitigate POODLE
                 Key: ACCUMULO-3316
                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3316
             Project: Accumulo
          Issue Type: Task
          Components: monitor, rpc
    Affects Versions: 1.6.0, 1.5.0
            Reporter: Sean Busbey
            Priority: Blocker
             Fix For: 1.5.3, 1.6.2, 1.7.0


Courtesy [~bhavanki]

{quote}
Recently, Google uncovered a vulnerability [1][2], now nicknamed "POODLE",
in the SSLv3 protocol. The vulnerability provides a mechanism for MITM
attackers to extract cleartext from SSLv3 traffic.

Accumulo currently allows the use of SSLv3 in these areas. Therefore,
Accumulo [deployments can be impacted].

1. The monitor uses Jetty to listen for https connections, and Jetty
supports SSLv3.
2. All of the daemons that listen for Thrift connections can do so over
SSLv3.

The simplest and most effective way to eliminate Accumulo's susceptibility
to this vulnerability is to prevent the use of SSLv3 across all Accumulo
server processes. In general, such changes should be straightforward,
essentially removing SSLv3 from the set of supported protocols and only
allowing clients to negotiate across the various newer TLS versions, which
are not susceptible to this vulnerability.

[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
[2] https://www.us-cert.gov/ncas/alerts/TA14-290A
{quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)