Overview
On October 14th, 2014 the Padding Oracle On Downgraded Legacy Encryption (POODLE) exploit CVE-2014-3566 was discovered by Google researchers. POODLE targets the CBC cipher algorithms specifically for SSLv3. GoAnywhere Services utilizes the SSL protocol extensively for securing data in transmission. The versions of SSL/TLS that are available to GoAnywhere Services depends entirely on the JSSE (Java Secure Socket Extension) libraries that are in use by the JVM. SSLv3 encryption, while significantly dated, is still widely used throughout the world and therefore this threat should be addressed by customers that are using SSL within the GoAnywhere Services product.
There are 2 options available in GoAnywhere Services to mitigate this threat.
Option 1) Disable SSLv3 (preferred)
Linoma Software has created a software patch that allows you to disable SSLv3 support for the Services your trading partners use to connect to GoAnywhere. Note that disabling SSLv3 may disrupt connections from existing clients that require that version of the protocol.
The GoAnywhere Services version 3.5.5 Patch Installation Instructions are found below. Once the patch is installed, follow the directions to configure the enabled SSL protocols:
HTTPS Web Client and AS2 interface
Perform the following steps to configure the enabled SSL protocols for the HTTPS Web Client and AS2 interface of GoAnywhere Services:
- Log in as a user with Administrator role.
- Navigate to Administration > Service Manager > Edit service startup configuration for the HTTPS/AS2 service, and select the listener that is configured to use SSL encryption.
- Click on the SSL tab
- In the Enabled SSL Protocols field, specify a comma separated list of SSL/TLS protocol versions to allow. For example, to enable TLS 1.1 and TLS 1.2 only, specify TLSv1.1,TLSv1.2. Likewise, to enable all versions of SSL/TLS, specify SSLv3,TLSv1,TLSv1.1,TLSv1.2
The screenshot above shows an example of how to disable SSLv3. - Click Save and Finish and then restart the HTTPS Service.
Administrative Interface
Perform the following steps to disable SSLv3 support for the administrative interface of GoAnywhere Services: - Log in as a user with the Administrator role.
- Navigate to Administration > Admin Server Configuration and select the listener that is configured to use SSL encryption.
- Click on the SSL tab
- In the Enabled SSL Protocols field, specify a comma separated list of SSL/TLS protocol versions to allow. For example, to enable TLS 1.1 and TLS 1.2 only, specify TLSv1.1,TLSv1.2. Likewise, to enable all versions of SSL/TLS, specify SSLv3,TLSv1,TLSv1.1,TLSv1.2
The screenshot above shows an example of how to disable SSLv3. - Click Save and Finish and restart the GoAnywhere service/subsystem.
Option 2) Disable CBC Ciphers
The other alternative is to disable CBC ciphers. This can be done by adjusting the enabled cipher algorithms in the service configuration screens.
Additional Considerations
Support for specific versions of TLS is dependent upon the JSSE provider used by the JVM. For example, the JSSE provider shipped with Oracle JRE 1.6.0 does not include support for TLS 1.1 and TLS 1.2, however Oracle JRE 1.7.0 does include support for TLS 1.1 and TLS 1.2. In order to take advantage of this enhanced security, you may need to configure GoAnywhere to run on an alternate JRE.
Consult your JRE documentation for more information on the supported versions of TLS.
For instructions on switching GoAnywhere to an alternate JRE, see How do I run GoAnywhere on JAVA 1.6
Patch Installation Procedures
To apply the patch:
- Make sure your installed version is at least 3.5.1. To check your version, login to GoAnywhere Services and access the menu item, Help > About. If you are not on version 3.5.1 then access the menu item Administration > Check for Updates and follow the instructions to upgrade to 3.5.1.
- After you confirm that your installation of GoAnywhere Services is at 3.5.1, contact Linoma Support by emailing [email protected] and requesting the Poodle Security Patch.
- Extract the contents from the Security Patch to a folder of your choice on your PC. This will extract the release notes and a 2 folders containing 4 JAR files and 2 JSP files.
- Shutdown the GoAnywhere Services subsystem/service.
- Copy the files from step 2 to the system where GoAnywhere Services is installed. The source folder directly correlates to the target destination folder under the installation directly. i.e. the files under ‘/lib’ are to be installed under [INSTALL_DIR]/lib where [INSTALL_DIR] is the installation folder of GoAnywhere Services. Likewise, the file in ‘adminroot/admin/serviceconfig’ must be copied to [INSTALL_DIR]/adminroot/admin/serviceconfig. The target files already exist, so overwrite and replace these files when prompted.
- Start the GoAnywhere Services subsystem/service.
Login to GoAnywhere Services and navigate to the Help > About page. Make sure the version shows up as 3.5.5.
Please email [email protected] if you have any questions.