Security advisory: CVE-2014-3513 CVE-2014-3566 (POODLE) CVE-2014-3567 CVE-2014-3568

Overview

 

This document addresses the impact on Aspera products of SSL vulnerabilities CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 reported Oct 15th 2014.

 

References:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3513

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3567

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3568

 

 

Affected Products

 

  • Aspera Point to Point
  • Aspera Enterprise Server

AFFECTED IF USING ASPERANODED “NODE API” OR HTTP FALLBACK

 

NO OTHER FEATURES AFFECTED

 

ACTION REQUIRED URGENTLY

  1. Disable SSLv3 for asperanoded and asperahttpd (instructions below)

 

ACTION REQUIRED - MODERATE PRIORITY

  1. Upgrade to Aspera version 3.5.2 or higher - to be released Oct 2014.  This mitigates denial of service exposure due to memory leaks in OpenSSL as well as the ‘client side’ of HTTPS connections in case they are connecting to Aspera servers that didn’t disable SSLv3.
  • Aspera Connect Server

AFFECTED

 

ACTION REQUIRED URGENTLY

  1. Disable SSLv3 for asperanoded and asperahttpd (instructions below)
  2. Disable SSLv3 for the Apache server (Unix) or IIS (Windows) according to OS instructions (these servers are used by Connect Server but they are not part of the Aspera software package).

 

ACTION REQUIRED - MODERATE PRIORITY

  1. Upgrade to Aspera version 3.5.2 or higher - to be released Oct 2014.  This mitigates denial of service exposure due to memory leaks in OpenSSL as well as the ‘client side’ of HTTPS connections in case they are connecting to Aspera servers that didn’t disable SSLv3.
  • Aspera Proxy

AFFECTED IF USING FORWARD PROXY OVER HTTPS

 

NO OTHER FEATURES AFFECTED

 

ACTION REQUIRED URGENTLY

  1. Disable SSLv3 for asperanoded (instructions below)

 

ACTION REQUIRED - LOW PRIORITY

  1. Upgrade to Aspera Proxy version 1.2.3 or higher - to be released Q4 2014.  This mitigates denial of service exposure due to memory leaks in OpenSSL.
  • Aspera Console
  • Aspera Faspex
  • Aspera Shares
  • Aspera Orchestrator
  • Aspera OnDemand for Amazon
  • Aspera OnDemand for Softlayer
  • Aspera OnDemand for Google Cloud

AFFECTED

 

ACTION REQUIRED URGENTLY

 

  1. Disable SSLv3  from nginx and apache  (instructions below)

 

ACTION REQUIRED - MODERATE PRIORITY

  1. Upgrade to Aspera Shares version 1.9.0, Aspera Faspex 3.9.0, Aspera Console 2.5.3, Aspera Orchestrator 2.10.0 and the corresponding Aspera OnDemand versions- to be released Q1/Q2 2014.  This mitigates denial of service exposure due to memory leaks in OpenSSL as well as the ‘client side’ of HTTPS connections in case they are connecting to Aspera servers that didn’t disable SSLv3.
  • Aspera OnDemand for Azure

AFFECTED  -- CORRECTED 2014-10-17

 

Aspera deployed the urgent configuration updates Oct 15-17 2014

 

 

  • Aspera Client
  • Aspera Drive
  • Aspera Cargo
  • Aspera Outlook Plugin
  • Aspera Mobile

AFFECTED

 

ACTION REQUIRED URGENTLY

 

  1. Ensure the Aspera Servers you connect to have been updated to disable SSLv3 per instructions below.

 

ACTION REQUIRED - MODERATE PRIORITY

  1. Upgrade to the any of the versions of Aspera clients released after Oct 15th 2014 to mitigate client-side exposure in case they are connecting to Aspera servers that didn’t disable SSLv3.

Aspera Connect

NOT AFFECTED

Aspera Async

NOT AFFECTED

 

How to disable SSLv3 for Aspera Enterprise Server, Point to Point, Connect Server, Proxy

 

Edit aspera.conf and set ssl_protool to  tlsv1.2

Note this requires the latest software version 3.5.1 (or higher).

 

<CONF>

   ...

   <server>

       ...

       <ssl_protocol>tlsv1.2</ssl_protocol>

   </server>

</CONF>

 

Restart services/daemons:

  • asperanoded
  • asperahttpd

 

How to disable SSLv3 for Aspera Faspex, Aspera Console and Aspera Orchestrator

 

Edit the configuration files:

 

 httpd-ssl.conf (Linux: /opt/aspera/common/apache/conf/extra/httpd-ssl.conf)

 httpd-ssl_template.conf (Linux: /opt/aspera/common/apache/conf/extra/httpd-ssl_template.conf)

 

Add the option:

  SSLProtocol All -SSLv2 -SSLv3

 

Restart Aspera Https Faspex daemon/service (asctl apache:restart)

 

How to disable SSLv3 for Aspera Shares

 

Edit the configuration file nginx.conf (Linux: /opt/aspera/shares/etc/nginx)

 

Find the line:

   ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

Replace it with:

   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


Restart Aspera Shares service/daemon: /etc/init.d/aspera-shares restart

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk