Show posts tagged:
security

POODLE, SSLv3 and CFEngine

This post clarifies whether CFEngine is affected by the newly published vulnerability in the SSL protocol,POODLE. CFEngine core functionality, i.e. agent-to-hub communication is not affected in any way by the POODLE vulnerability. If the protocol version is set to “classic” or “1”, or is just left to be the default, then all communication happens using the legacy protocol which has nothing to do with SSL. If it is set to “latest” or “2”, then TLS version 1.0 is used, which does *not* suffer from the specific flaw in SSL v3.0 that enables POODLE. So the vulnerability is not applicable in any case. CFEngine Enterprise provides the Mission Portal web interface, served via the Apache web server at port 443. Unfortunately the default package installation uses default Apache settings, and httpd currently accepts connections using SSL v3.0. To remedy the problem, the following line should be edited in

Posted by Thomas Ryd
October 20, 2014

Heartbleed Security Update for CFEngine Users and Customers

As you may know, a serious vulnerability was recently announced in OpenSSL, commonly referred to as Heartbleed or more officially by its CVE ID CVE-2014-0160. This vulnerability affects the OpenSSL heartbeat mechanism and allows unauthorized access to private data including encryption keys, encrypted traffic and more. At CFEngine we use OpenSSL both in our infrastructure and in our products. The security of our users and customers is one of our primary concerns, so we immediately began investigating the possible impact of this bug. Here are our findings:

Posted by Mahesh Kumar
April 10, 2014