Basho Product Alert: SSL 3.0 Vulnerability and POODLE Attack

Seema Jethani seema at basho.com
Mon Mar 2 20:42:33 EST 2015


SSL version 3 has been revealed as insecure via an attack on POODLE
<https://www.us-cert.gov/ncas/alerts/TA14-290A>. The Erlang VM on which
Riak relies supports this old version.
Description
This fix is very narrow in scope. It instructs Erlang's SSL library to
forbid SSL version 3 traffic. Versions of Riak prior to 1.2 are also
susceptible in the limited scenarios described here, but the patch supplied
is not applicable.
*Affected Users*
Users that do any of the following will be affected:

   - expose Riak CS to untrusted networks via HTTPS
   - expose Riak's optional HTTPS interface to untrusted networks
   - expose Riak Control to untrusted networks

If you do not expose Riak or Riak CS to untrusted networks, we do not
recommend applying this patch, as it may lead to upgrade problems in the
future. If you are a Riak CS user, please also assess your Riak
installation against the criteria above and apply the patch if indicated.

*Riak 2.0 Users*
If you have installed Riak 2.0.5, you will not need to apply the patch, as
that version includes the fix. If you are using Riak 2.0.0 to 2.0.2, please
upgrade to 2.0.5.


*Riak CS and Riak 1.2-1.4 Users*A patch is available on our Product
advisories page. Instructions to install and backout can be found here
<http://docs.basho.com/riak/latest/community/product-advisories/ssl-poodle/#Riak-CS-and-Riak-1-2-1-4-Users>
.


*Moving forward*This patch is included in Riak 2.0.5 and all releases
thereafter.
Let us know if you have any questions

Regards,
Seema Jethani
Director of Product Management, Basho <http://basho.com/>
4083455739 | @seemaj <http://twitter.com/seemaj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20150302/1481fa0c/attachment-0002.html>


More information about the riak-users mailing list