Important information about FirstSpirit in context of current SSLv3 security problem CVE-2014-3566 ("Poodle vulnerability")

isenberg
I'm new here
0 0 471

Since October 14 2014, a security problem within the SSLv3 protocol is publicly known, which allows remote attackers to obtain sensitive information like private keys and passwords from any service using this protocol over https.

Further general information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

Depending on the used https infrastructure, your FirstSpirit system might be vulnerable to this security issue.

The FirstSpirit system is vulnerable, if the following check commmand completes with the text message "DONE". The command is launched on the command line of a Unix or Windows host with installed openssl software and network access to the FirstSpirit host. The hostname as parameter to the command must be the same as any FirstSpirit editor is using to open the FirstSpirit start page.

Check Command:

echo | openssl s_client  -connect firstspirithost.domain:443 -ssl3

Message "DONE" means your system is vulnerable!

If your system is shown to be affected by this security issue, modify your https server configuration as follows, depending on the server system in use:

Apache httpd

2.2.22 and older:

SSLHonorCipherOrder on

SSLProtocol TLSv1

2.2.23 and newer

SSLHonorCipherOrder on

SSLProtocol ALL -SSLv2 -SSLv3

Apache Tomcat 6

file tomcat/conf/server.xml,

add the line sslProtocols="TLSv1,TLSv1.1,TLSv1.2" as attribute to the "Connector" section:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 

     maxThreads="150" scheme="https" secure="true" clientAuth="false" 

     sslProtocol="TLS" 

     sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"

     keystoreFile="conf/keystore.jks"

     keystorePass="changeit" 

/>

Apache Tomcat 7

file tomcat/conf/server.xml,

add the line sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" as attribute to the "Connector" section:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

     maxThreads="150" scheme="https" secure="true" clientAuth="false"

     sslProtocol="TLS"

     sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2"

     keystoreFile="conf/keystore.jks"

     keystorePass="changeit"

/>

Jetty 7 and newer, embedded in FirstSpirit 5.0, 5.1, 5.2

This modification is only required if the Jetty https port is enabled and exposed to a local network or the Internet, not if it is bound to localhost only or used as backend server behind another https offloader.

File firstspirit5/conf/fs-webapp.xml,

add the array "ExcludeProtocols" to the HTTPS connector, section sslContextFactory:

<!-- HTTPS-Connector -->

<!-- =============== -->

<!-- if NIO is not available, use org.eclipse.jetty.server.ssl.SslSocketConnector -->

<New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">

          <Set name="KeyStore"><SystemProperty name="cmsroot" />/conf/fs-keystore.jks</Set>

          <Set name="KeyStorePassword">changeit</Set>

          <Set name="KeyManagerPassword">changeit</Set>

          <Set name="ExcludeProtocols">

               <Array type="java.lang.String">

                         <Item>SSLv3</Item>

               </Array>

          </Set>

</New>

<Call name="addConnector">

          <Arg>

                    <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">

                              <Arg><Ref id="sslContextFactory"/></Arg>

                              <Set name="Port">8443</Set>

                              <Set name="maxIdleTime">30000</Set>

                              <Set name="Acceptors">2</Set>

                              <Set name="AcceptQueueSize">100</Set>

                    </New>

          </Arg>

</Call>

The FirstSpirit internal encryption on the client server connection when using http, which can be enabled via the ServerManager at menu entry "Server -> Properties -> Webstart", is not affected by this vulnerability as the implementation is not using the SSL protocol, only TLS or optionally RC4. The use of the FirstSpirit socket mode connection is not recommended for the client server connection regarding the following security advisory: Security Advisory for FirstSpirit

In one of the next FirstSpirit versions, the default settings will include the modified fs-webapp.xml, though this file is not automatically replaced on any FirstSpirit update.

Tags (1)