• Security
• POODLE

POODLE on CentOS

The POODLE attack (which stands for Padding Oracle On Downgraded Legacy Encryption) is a man in the middle exploit which takes advantage of web browsers' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. This attack was discovered by Bodo Möller, Thai Duong and Krzysztof Kotowicz from Google Security Team. The attack is not considered as serious as the Heartbleed and Shellshock attacks.

Please see this Article for a more detail explanation of POODLE.

Versions of CentOS impacted

POODLE impacts all previous versions of CentOS, but will only be addressed on active versions of CentOS. That will be releases CentOS-5.11 (or later), CentOS-6.5 (or later), CentOS-7.0.1406 (or later). Any other releases of CentOS will not be fixed.

Please note that the updates listed here do not actually FIX POODLE, they only use the TLS_FALLBACK_SCSV option to prevent triggering a fallback to SSLv3. Users also have to manually address their SSL Protocol settings on CentOS-5, CentOS-6, and CentOS-7 as well as install the updates below to mitigate POODLE and other SSL Fallback issues.

CentOS-5.11

openssl-0.9.8e-31.el5_11.<arch>.rpm

CentOS-6.6

openssl-1.0.1e-30.el6_6.2.<arch>.rpm

CentOS-7.0.1406

openssl-1.0.1e-34.el7_0.6.<arch>.rpm

Mitigation on CentOS

First step is to install the updates, you do this with the command:

yum update

Once done, verify you have at least the version listed above, for your CentOS version, with the command:

rpm -q openssl

If you have the version listed above (or newer) then you have a current enough version of openssl installed.

Configuration Changes

This article by Red Hat discusses POODLE and mitigation. The configuration changes required for Tomcat, Firefox, httpd, vsftpd, other components are in that article.

Also see https://disablessl3.com for a more complete list of programs and options.

Validating Changes

You can use Qualys SSL Labs to verify that your web server is no longer vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You might also want to only use TLSv1.2 for httpd on CentOS-6.6 (or higher) and CentOS-7, while using TLSv1 on CentOS-5.