You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jeffrey Janner <Je...@PolyDyne.com> on 2014/06/26 01:05:18 UTC

CVE-2014-0224

Does anyone know of a way to mitigate this vulnerability until the latest OpenSSL patch can be applied to the Native Libraries?
Perhaps limiting the cipher list to the list of strongest ciphers available that are supported by the major browsers?
Is there a listing somewhere of the cipher lists supported by those browsers?

Jeffrey Janner
Sr. Network Administrator
jeffrey.janner@polydyne.com<ma...@polydyne.com>
PolyDyne Software Inc.
Main:   512.343.9100
Direct:  512.583.8930

 [cid:image002.png@01CC0FB7.4FF43CE0]

Speed, Intelligence & Savings in Sourcing

RE: CVE-2014-0224

Posted by Jeffrey Janner <Je...@PolyDyne.com>.

> From: Jeffrey Janner [mailto:Jeffrey.Janner@PolyDyne.com] 
> Sent: Wednesday, June 25, 2014 6:05 PM
> To: 'Tomcat Users List'
> Subject: CVE-2014-0224
>
> Does anyone know of a way to mitigate this vulnerability until the latest OpenSSL patch can be applied to the Native Libraries?
> Perhaps limiting the cipher list to the list of strongest ciphers available that are supported by the major browsers?
> Is there a listing somewhere of the cipher lists supported by those browsers?

Answering my own post after doing a little googling (Google is Your Friend. Trust the Google.) Actually, Redhat is providing the answer:

There is no known mitigation for this issue. The only way to fix it is to install updated OpenSSL packages and restart affected services.

The vulnerability can only be exploited if both server and client are vulnerable to this issue. In the event that one of the two is vulnerable, there is no risk of exploitation.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org