You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Mehul Parikh (JIRA)" <ji...@apache.org> on 2018/06/12 05:41:00 UTC

[jira] [Assigned] (RANGER-2131) Ranger UserSync port (ie 5151) supports TLSv1.0

     [ https://issues.apache.org/jira/browse/RANGER-2131?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mehul Parikh reassigned RANGER-2131:
------------------------------------

    Assignee: Nikhil Purbhe

> Ranger UserSync port (ie 5151) supports TLSv1.0
> -----------------------------------------------
>
>                 Key: RANGER-2131
>                 URL: https://issues.apache.org/jira/browse/RANGER-2131
>             Project: Ranger
>          Issue Type: Bug
>          Components: usersync
>    Affects Versions: 1.0.0
>            Reporter: t oo
>            Assignee: Nikhil Purbhe
>            Priority: Major
>              Labels: security
>             Fix For: 1.1.0
>
>
> THREAT:
> TLS is capable of using a multitude of ciphers (algorithms) to create the public and private key pairs.
> For example if TLSv1.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.
> RC4 is known to have biases and the block cipher in CBC mode is vulnerable to the POODLE attack.
> TLSv1.0, if configured to use the same cipher suites as SSLv3, includes a means by which a TLS implementation can downgrade the connection to
> SSL v3.0, thus weakening security.
> A POODLE-type ([https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls]) attack could also be launched directly at TLS without negotiating a
> downgrade.
> This QID will be marked as a Fail for PCI as of May 1st, 2017 in accordance with the new standards. For existing implementations, Merchants will
> be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation and Migration Plan, which will result in a pass
> for PCI up until June 30th, 2018.
> Further details can be found at: NEW PCI DSS v3.2 and Migrating from SSL and Early TLS v1.1 ([https://community.qualys.com/message/34120])
> IMPACT:
> An attacker can exploit cryptographic flaws to conduct man-in-the-middle type attacks or to decryption communications.
> For example: An attacker could force a downgrade from the TLS protocol to the older SSLv3.0 protocol and exploit the POODLE vulnerability, read
> secure communications or maliciously modify messages.
> A POODLE-type ([https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls]) attack could also be launched directly at TLS without negotiating a
> downgrade.
> SOLUTION:
> Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.
> The following openssl commands can be used
> to do a manual test:
> openssl s_client -connect ip:port -tls1
> If the test is successful, then the target support TLSv1
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)