Quickly check and fix the POODLE vulnerability on Apache, WebLogic Server, and OHS

If you are running SSL 3.0, you need to be aware of the POODLE vulnerability:

• https://www.us-cert.gov/ncas/alerts/TA14-290A
• http://www.techrepublic.com/article/poodle-vulnerability-hastens-the-death-of-ssl-3-0/
• https://access.redhat.com/articles/1232123

There are no patches since the POODLE vulnerability is a design flaw in the protocol itself and not an implementation bug. TLS is now the preferred encryption protocol.


Are you vulnerable?

Courtesy of this website, you can check if your website is available over SSLv3 with:

curl -v -3 -X HEAD https://www.raastech.com

If you are not vulnerable, you should not be able to connect, and your output should look something like this:

* SSL peer handshake failed, the server most likely requires a client certificate to connect

If you are vulnerable, you should see normal connection output, including the line:

* SSL 3.0 connection using SSL_NULL_WITH_NULL_NULL

Fix for Apache

1. Edit the ssl.conf and add the following:

SSLProtocol All -SSLv2 -SSLv3

Fix for WebLogic Server

1. Add the following to all the JVMs:

-Dweblogic.security.SSL.protocolVersion=TLS1 

2. Remove the following line if found in the configuration:

-Dweblogic.security.SSL.protocolVersion=SSL3

3. Restart.



Fix for Oracle HTTP Server (OHS)

1. Edit httpd.conf and edit the SSLProtocol directive as follows:

OLD: SSLProtocol ALL –SSLv2

NEW: SSLProtocol ALL –SSLv2 –SSLv3

2. Restart.



References:

• http://serverfault.com/questions/637053/how-can-i-tell-if-my-website-is-vulnerable-to-cve-2014-3566-poodle