First off, the naming “convention” as of late for security issues has been terrible. The newest vulnerability (CVE-2014-3566) is nicknamed POODLE, which at least is an acronym and as per the header above has some meaning.
The summary of this issue is that it is much the same as the earlier B.E.A.S.T (Browser Exploit Against SSL TLS), however there’s no known mitigation method in this case – other than entirely disabling SSLv3 support, in short, an attacker has a vector by which they can retrieve the plaintext form your encrypted streams.
So let’s talk mitigation, the Mozilla Security Wiki Serverside TLS has for some time made strict recommendations of ciphers and protocols; and is certainly worth your attention.
Disable SSLv2 and SSLv3 in your ssh apache configuration by setting:
SSLProtocol all -SSLv2 -SSLv3
Allow support only for TLS in Nginx with the following:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
This is where things get far more interesting; unlike Apache and Nginx there’s no way to allow / disallow entire protocols of the SSL / TLS spec within mysql; there is however the ability to specify the cipher spec to be used in SSL communication.
As such to remove SSLv3 support from MySQL you need only ensure that none of the SSLv3 ciphers are in use wihtin your configuration.
As per information in this bug you can find a list of SSLv3 ciphers by simply
openssl ciphers -v 'DEFAULT' | awk '/SSLv3 Kx=(RSA|DH|DH(512))/ { print $1 }'
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
AES256-SHA
CAMELLIA256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
Removing the above form your ssl-cipher configuration should disable SSLv3 support; of course ensuring your MySQL service is NOT generally accessible is by far one of the most important steps you can take in securing your MySQL deployment against CVE-2014-3566.
You can read more about POODLE here.
The following script will help to identify support for any none SSLv3 ciphers; unfortunately in my limited testing I have yet to have found a supported none SSLv3 cipher.
Formatting is an issue for the script as such please see the Github gist
UPDATE 2014-10-16: openssl updates are now becoming available with patches against this issue
AMI Linux: openssl-1.0.1j-1.80.amzn1 “add patch for CVE-2014-3566 (Padding Oracle On Downgraded Legacy Encryption attack)”
RedHat: no update is yet available
UPDATE 2014-11-17:
Oracle have released an update here: http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html which notes MySQL products are not affected by the POODLE bug; this is due to the cipher suite which MySQL supports not including the affected SSLv3 ciphers.
openssl -v ciphers output contracdicts documentation here: https://www.openssl.org/docs/apps/ciphers.html e.g.
openssl ciphers -v AES128-SHA
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
The linked documentation page above however lists AES128-SHA as a TLS1.0 cipher
dbusby@kali:~$ openssl ciphers -v AES128-SHA
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
busby@kali:~$ mysql -se “SHOW STATUS LIKE ‘Ssl_cipher_list'” | sed
‘s/:/n/g’
Ssl_cipher_list DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
AES256-RMD
AES128-RMD
DES-CBC3-RMD
DHE-RSA-AES256-RMD
DHE-RSA-AES128-RMD
DHE-RSA-DES-CBC3-RMD
RC4-SHA
RC4-MD5
DES-CBC3-SHA
DES-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-RSA-DES-CBC-SHA
dbusby@kali:~$ mysql –ssl-cipher=AES128-SHA
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 53
Server version: 5.5.40-0+wheezy1 (Debian)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the current input
statement.
mysql> s
————–
mysql Ver 14.14 Distrib 5.5.40, for debian-linux-gnu (x86_64) using
readline 6.2
Connection id: 53
Current database:
Current user: root@localhost
SSL: Cipher in use is AES128-SHA
Current pager: stdout
Using outfile: “
Using delimiter: ;
Server version: 5.5.40-0+wheezy1 (Debian)
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /var/run/mysqld/mysqld.sock
Uptime: 11 min 43 sec
Threads: 1 Questions: 727 Slow queries: 0 Opens: 785 Flush tables: 1
Open tables: 132 Queries per second avg: 1.034
————–
mysql> Bye
