Tech Info 167: WebShare HTTPS – SSLv3 POODLE vulnerability

HELIOS Tech Info #167

Thu, 11 Dec 2014

WebShare HTTPS – SSLv3 POODLE vulnerability

All existing Java versions have a problem that little fragments of the encrypted HTTPS content can be decrypted using a man-in-the-middle connection. This is achieved by forcing an older HTTPS encryption (SSLv3) protocol version. The POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability requires, in addition to the older SSLv3 protocol, a JavaScript malware in the client’s browser which can modify HTML content.

All HELIOS WebShare versions (including UB64) configured with HTTPS are affected such that under the above described conditions little fragments of the HTTPS data can be decrypted. However, WebShare provides additional security via RSA 1024-bit encrypted passwords, which cannot be decrypted, so foreign access to WebShare was never possible, regardless of whether HTTP or HTTPS is used.

HELIOS recommends that all customers use the supported HELIOS UB64 product versions, and to install all available updates. A new protocol configuration preference will allow enforcing further security when required for the future.

A WebShare Web Server UB64 update has been made available to disable the older SSLv3 protocol by default.

Questions and answers:

Q: Is my WebShare Web Server affected?
A: HTTPS is not turned on by default, customers who enabled “HTTP/SSL support” according to the WebShare manual are affected (manual section: WebShare Web Server, chapter HTTP/SSL support).

Q: Will the latest Java Update fix the problem?
A: No, the WebShare Web Server UB64 update needs to be installed.

Q: Does the POODLE vulnerability allow putting malware into the WebShare server?
A: No, via the POODLE vulnerability the intruder can only get decrypted fragments of the HTTPS connection. It cannot execute any native or Java code on the WebShare Web Server or WebShare File Server host.

Q: What happens if HTTPS is used but the update is not installed?
A: Fragments of the HTTPS HTML content can be decrypted which means the content is not 100% secure as promised by HTTPS.

For additional questions please contact your HELIOS partner.

The following describes the new “WSDisabledSSLProtocols” WebShare Web Server preference, which will also be documented in future versions of the WebShare manual:

Preference name: WSDisabledSSLProtocols
Type: strlist

By default, this preference is not set which means that SSLv3 and SSLv2Hello are disabled. This configuration is advised by Oracle for all server applications supporting HTTPS.

The list of supported HTTPS protocols depends on the Java version.

Protocols supported by Java 7:
SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2

If this preference is set, all protocols that should be disabled must be specified. Example configuration to allow TLSv1.2 and newer only:

prefvalue -k 'Programs/websharewoa/WSDisabledSSLProtocols' -t strlist "SSLv2Hello,SSLv3,TLSv1,TLSv1.1"

Note: Use this preference with care. Disabling additional protocols may cause incompatibilities with older web browsers using HTTPS.