Application Delivery (ADX)

Reply
Regular Visitor
Posts: 1
Registered: ‎06-09-2014

Infuluence POODLE: SSLv3 vulnerability (CVE-2014-3566) for ServerIron ADX 1000(SI-1016-2-SSL)

Hi .

 

Please tell me about the impact on  POODLE Vulnerability against  ServerIron ADX 1000 .

 

New Member
Posts: 1
Registered: ‎10-17-2013

Re: Infuluence POODLE: SSLv3 vulnerability (CVE-2014-3566) for ServerIron ADX 1000(SI-1016-2-SSL)

We are also affected

 

as mentioned by a number of experts SSLv3 should be disabled and TLS1.0,1.1,1.2 should be used instead.

It does have impact to end users in that XP IE6 does not support this and users who browse to sites with TLS will be unable to connect to the server and the browser will say unable to connect. 

 

I have been informed by our provider that the ADX series currently has no way to disable SSLv3 so I am hoping there will be a firmware update asap

Brocadian
Posts: 2
Registered: ‎05-13-2013

Re: Infuluence POODLE: SSLv3 vulnerability (CVE-2014-3566) for ServerIron ADX 1000(SI-1016-2-SSL)

I have found a TSB here:
http://www.brocade.com/downloads/documents/technical_support_bulletins/brocade-assessment-openssl-poodle-vulnerability.pdf

 

For ADX I think there are 2 ways this can have impact, one is the management of the box and the other is the SSL acceleration.

 

I assume that the topic starter is interested in the SSL acceleration.

The best way to receive updates is through your Brocade SE or Brocade Partner.

Brocadian
Posts: 2
Registered: ‎05-13-2013

Re: Infuluence POODLE: SSLv3 vulnerability (CVE-2014-3566) for ServerIron ADX 1000(SI-1016-2-SSL)

[ Edited ]

Code version 12.4.00s was released on October 23rd and according to the release notes this release was released specifically for the Poodle issues.

I've tested this code and it disables SSLv3 for SSL termination and SSL proxy.

For https web management the release notes advice to disable that for now as a workaround.

And for health checks, if complete health checks fail, use l4-check-only. This is also a workaround.

New Member
Posts: 1
Registered: ‎12-11-2014

Re: Infuluence POODLE: SSLv3 vulnerability (CVE-2014-3566) for ServerIron ADX 1000(SI-1016-2-SSL)

I have disabled SSLv3 on my Tomcat servers, but my ADX 1000 sees their SSL port as "Failed". I am using the complete SSL health check. I have verified that the SSL port is up and responding properly. Can I get confirmation from someone at Brocade that the only way to get the port to appear as healthy is use the simple SSL health check?

Contributor
Posts: 74
Registered: ‎08-18-2011

Re: Infuluence POODLE: SSLv3 vulnerability (CVE-2014-3566) for ServerIron ADX 1000(SI-1016-2-SSL)

Simple SSL healthchecks will not help you in this case, Serveriron ADX sends a TLS hello encapsulated in SSLv2Hello (for backward compatibility ) , by default handling for this kind of Hello is disabled in new Java based applications. In order for healthchecks to work you can enable handling of SSLv2Hello on your servers. 

 

Also if you wish to upgrade, there should be a new patch for the firmware version that you are running with this behavior modified on the ADX side. (i.e. ADX not sending SSLv2 encapsulated Hello message)

 

This link provide more information on how to enable SSLv2Hello while disabling SSLv3 for Poodle attack.

 

http://mail-archives.apache.org/mod_mbox/tomcat-dev/201410.mbox/%3C20141016102430.36131.30326@eos.apache.org%3E

 

 

Disabling SSL v3 on either client side or server side will mitigate this vulnerability.

To disable SSL v3, and enable all TLS protocols plus SSLv2Hello pseudo-protocol on JSSE connectors
add the following attributes to your connector configuration in server.xml:

  sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
  
The same thing could be done on APR connector using following attributes:

  TODO

 

Hope that helps. 

 

-Mohit

-Mohit Sahni
Senior Member
Posts: 1
Registered: ‎06-19-2015

Re: Infuluence POODLE: SSLv3 vulnerability (CVE-2014-3566) for ServerIron ADX 1000(SI-1016-2-SSL)

Hi,

 

For SSL Offloading on ADX 1008 series (12400) will there be options for us to select which specific TLS version to disable ? (instead of just disabling TSL1 we can choose to only disable TLS v1.0 and leave TLS v1.1 and v1.2 running).

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.