| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| |
| Note on CVE-2014-3566 - SSL 3.0 support in Apache CXF, aka the "POODLE" attack: |
| |
| The SSL protocol 3.0 uses non-deterministic CBC padding, which makes it easier |
| for man-in-the-middle attackers to obtain clear text data via a padding-oracle |
| attack, aka the "POODLE" issue: https://access.redhat.com/articles/1232123 |
| |
| The problem with POODLE comes when the connection is downgraded to use SSL 3.0 |
| when higher level TLS comms fail. If an attacker in the middle of a connection |
| can cause this failure then they may be able to force the browser to do |
| exactly what it’s designed to do – fall back to SSL 3.0 and try again. |
| |
| Apache CXF disables support for SSLv3 by default for both clients, as well as |
| Jetty servers configured via CXF's HTTPJ namespace, from the 3.0.3 and 2.7.14 |
| releases. To support SSLv3 it is necessary to specify "SSLv3" for the |
| "secureSocketProtocol" attribute, see the tls configuration link below. |
| |
| References: |
| |
| http://cxf.apache.org/security-advisories.html |
| https://issues.apache.org/jira/browse/CXF-6086 |
| http://cxf.apache.org/docs/tls-configuration.html |
| |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v1 |
| |
| iQEcBAEBAgAGBQJUkELkAAoJEGe/gLEK1TmDeCcH/RxLLkEr+oEcgWrYa4rKrMPq |
| Sw+62Hzpswi5zYHIH5p2pKuMN9WhvxqsBZKT6SoSHfJ28yvcbiBG78o49O/nLois |
| spUFTMSZAkdHAvg6G0gr5ODXCOxZyCQS9Tjf7cWfkne9sepIveP3RdHs75V+0C9u |
| bxMzkEYRc58ZUD6xDzoGsLhnm0jiIfkCg7sjKH/3j6eG3LV7Blj578GZZmAkRK4E |
| rNxGDX9X7LksdDXi4wB0RW5n3GKRj5WSf7rWgxJQOJ0Zde3WdNALyPxLW9+MN5NK |
| ZuXZ6SvJKKB33/cbyTBlti4PaFpG9D0T6KRvNwsqP42e9MPk/6V+ywR3aa4PU94= |
| =XS57 |
| -----END PGP SIGNATURE----- |
