Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Poodle exploit: exclude SSLv3 in example Jetty HTTPS configuration (thanks to David Gerdes, University of Illinois)

Description

To avoid any possibility of the [http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html|POODLE vulnerability] we should disable SSLv3 in the commented example of an HTTPS connector in the jetty.xml file included in etc/examples.

Note that no HTTPS connector is enabled by default, so the user needs to take action to enable one in the first place as well as to update the jetty.xml file on servers where one has already been manually enabled.

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Gabriela Lopez January 30, 2023 at 6:47 PM

Information Security risk assessed as a medium.

CVSS 7.7 x med likelihood .8 = 6.2 medium

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

Jeff Gehlbach October 17, 2014 at 10:37 AM

CI passes, feature branch merged. Resolving.

Jeff Gehlbach October 17, 2014 at 10:36 AM

Also verified that SSLv3 is no longer on offer once this config is in place:

Jeff Gehlbach October 16, 2014 at 5:59 PM

Committed a fix from David Paul Gerdes in a fix branch. Waiting for CI cycle before merging.

Fixed

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

PagerDuty

Created October 16, 2014 at 5:27 PM
Updated January 30, 2023 at 6:47 PM
Resolved October 17, 2014 at 10:37 AM