CVE-2014-3566 (POODLE: SSLv3 vulnerability)

October 17, 2014

A security issue was recently discovered for browsers and websites using SSL version 3.0 for encryption. For more information pertaining to this problem, please see CVE-2014-3566 from the National Vulnerability Database.

This issue is not limited to Cascade Server - it affects any and all web sites where both the server and client browser allow for the use of SSLv3. Modern browsers should be providing updates within the next several weeks to ensure that clients are not vulnerable. In the meantime, Cascade Server environments running over SSL should be configured such that they do not allow for transmission over SSLv3. Instructions for disabling SSLv3 can be found below:

Patching Tomcat

NOTE: These instructions are for Cascade Server installations where Tomcat is handling SSL encryption for the application:

  • Edit the file tomcat/conf/server.xml
  • Add the following attribute to the HTTPS <Connector> element:
sslProtocol="TLSv1,TLSv1.1,TLSv1.2"

An example Connector for Linux will look similar to this:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true" clientAuth="false"
    sslProtocol="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/path/to/keystore.jks"
    keystorePass="changeit" />

An example Connector for Windows will look similar to this:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true" clientAuth="false"
    sslProtocol="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/path/to/keystore.jks"
    keystorePass="changeit" />
  • Save the changes to the server.xml file
  • Restart Cascade Server

Patching Apache Web Server

NOTE: These instructions are only for Cascade Server installations where SSL offloading is done via Apache:

  • Add the following line to any SSL VirtualHosts in the Apache configuration:
SSLProtocol All -SSLv2 -SSLv3
  • Restart Apache