Basho Product Alert: SSL 3.0 Vulnerability and POODLE Attack
seema at basho.com
Mon Mar 2 20:42:33 EST 2015
SSL version 3 has been revealed as insecure via an attack on POODLE
<https://www.us-cert.gov/ncas/alerts/TA14-290A>. The Erlang VM on which
Riak relies supports this old version.
This fix is very narrow in scope. It instructs Erlang's SSL library to
forbid SSL version 3 traffic. Versions of Riak prior to 1.2 are also
susceptible in the limited scenarios described here, but the patch supplied
is not applicable.
Users that do any of the following will be affected:
- expose Riak CS to untrusted networks via HTTPS
- expose Riak's optional HTTPS interface to untrusted networks
- expose Riak Control to untrusted networks
If you do not expose Riak or Riak CS to untrusted networks, we do not
recommend applying this patch, as it may lead to upgrade problems in the
future. If you are a Riak CS user, please also assess your Riak
installation against the criteria above and apply the patch if indicated.
*Riak 2.0 Users*
If you have installed Riak 2.0.5, you will not need to apply the patch, as
that version includes the fix. If you are using Riak 2.0.0 to 2.0.2, please
upgrade to 2.0.5.
*Riak CS and Riak 1.2-1.4 Users*A patch is available on our Product
advisories page. Instructions to install and backout can be found here
*Moving forward*This patch is included in Riak 2.0.5 and all releases
Let us know if you have any questions
Director of Product Management, Basho <http://basho.com/>
4083455739 | @seemaj <http://twitter.com/seemaj>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the riak-users