This post clarifies whether CFEngine is affected by the newly published vulnerability in the SSL protocol,POODLE. CFEngine core functionality, i.e. agent-to-hub communication is not affected in any way by the POODLE vulnerability. If the protocol version is set to “classic” or “1”, or is just left to be the default, then all communication happens using the legacy protocol which has nothing to do with SSL. If it is set to “latest” or “2”, then TLS version 1.0 is used, which does *not* suffer from the specific flaw in SSL v3.0 that enables POODLE. So the vulnerability is not applicable in any case. CFEngine Enterprise provides the Mission Portal web interface, served via the Apache web server at port 443. Unfortunately the default package installation uses default Apache settings, and httpd currently accepts connections using SSL v3.0. To remedy the problem, the following line should be edited in
/var/cfengine/httpd/conf/original/extra/httpd-ssl.conf
from
SSLProtocol all -SSLv2
to
SSLProtocol all -SSLv2 -SSLv3
This is regarded a low risk vulnerability, hard to exploit, especially inside private subnets. In order for an attacker to steal a cookie, he must maliciously steal the victim’s browsing session (e.g. by luring him into visiting a malicious website) and generate thousands of connections to the Mission Portal, while simultaneously intercepting and manipulating all of victim’s network data. SSL v3.0 will be disabled in the next version of CFEngine Enterprise Hub.
