Technical Bulletin: GoAnywhere Services and POODLE Exploit

View some of the Frequently Asked Questions to our support staff. Included are some tips and tricks making this forum ideal for users getting started with GoAnywhere Services. Note: Users can reply to existing topics but only our support staff can add new topics to this forum.
1 post Page 1 of 1

Support_Rick

Support Specialist
Posts: 592
Joined: Tue Jul 17, 2012 2:12 pm
Location: Phoenix, AZ

Post by Support_Rick » Fri Oct 17, 2014 3:40 pm
GoAnywhere Services and POODLE Exploit CVE-2014-3566

Overview

On October 14th, 2014 the Padding Oracle On Downgraded Legacy Encryption (POODLE) exploit CVE-2014-3566 was discovered by Google researchers. POODLE targets the CBC cipher algorithms specifically for SSLv3. GoAnywhere Services utilizes the SSL protocol extensively for securing data in transmission. The versions of SSL/TLS that are available to GoAnywhere Services depends entirely on the JSSE (Java Secure Socket Extension) libraries that are in use by the JVM. SSLv3 encryption, while significantly dated, is still widely used throughout the world and therefore this threat should be addressed by customers that are using SSL within the GoAnywhere Services product.

There are 2 options available in GoAnywhere Services to mitigate this threat.

Option 1) Disable SSLv3 (preferred)

Linoma Software has created a software patch that allows you to disable SSLv3 support for the Services your trading partners use to connect to GoAnywhere. Note that disabling SSLv3 may disrupt connections from existing clients that require that version of the protocol.

The GoAnywhere Services version 3.5.5 Patch Installation Instructions are found below. Once the patch is installed, follow the directions to configure the enabled SSL protocols:

HTTPS Web Client and AS2 interface

Perform the following steps to configure the enabled SSL protocols for the HTTPS Web Client and AS2 interface of GoAnywhere Services:
  1. Log in as a user with Administrator role.
  2. Navigate to Administration > Service Manager > Edit service startup configuration for the HTTPS/AS2 service, and select the listener that is configured to use SSL encryption.
  3. Click on the SSL tab
  4. In the Enabled SSL Protocols field, specify a comma separated list of SSL/TLS protocol versions to allow. For example, to enable TLS 1.1 and TLS 1.2 only, specify TLSv1.1,TLSv1.2. Likewise, to enable all versions of SSL/TLS, specify SSLv3,TLSv1,TLSv1.1,TLSv1.2
    Image01.jpg
    Image01.jpg (10.93 KiB) Viewed 5114 times
    The screenshot above shows an example of how to disable SSLv3.
  5. Click Save and Finish and then restart the HTTPS Service.

    Administrative Interface

    Perform the following steps to disable SSLv3 support for the administrative interface of GoAnywhere Services:
  6. Log in as a user with the Administrator role.
  7. Navigate to Administration > Admin Server Configuration and select the listener that is configured to use SSL encryption.
  8. Click on the SSL tab
  9. In the Enabled SSL Protocols field, specify a comma separated list of SSL/TLS protocol versions to allow. For example, to enable TLS 1.1 and TLS 1.2 only, specify TLSv1.1,TLSv1.2. Likewise, to enable all versions of SSL/TLS, specify SSLv3,TLSv1,TLSv1.1,TLSv1.2
    Image02.jpg
    Image02.jpg (10.92 KiB) Viewed 5114 times

    The screenshot above shows an example of how to disable SSLv3.
  10. Click Save and Finish and restart the GoAnywhere service/subsystem.

Option 2) Disable CBC Ciphers

The other alternative is to disable CBC ciphers. This can be done by adjusting the enabled cipher algorithms in the service configuration screens.

Additional Considerations

Support for specific versions of TLS is dependent upon the JSSE provider used by the JVM. For example, the JSSE provider shipped with Oracle JRE 1.6.0 does not include support for TLS 1.1 and TLS 1.2, however Oracle JRE 1.7.0 does include support for TLS 1.1 and TLS 1.2. In order to take advantage of this enhanced security, you may need to configure GoAnywhere to run on an alternate JRE.

Consult your JRE documentation for more information on the supported versions of TLS.

For instructions on switching GoAnywhere to an alternate JRE, see How do I run GoAnywhere on JAVA 1.6

Patch Installation Procedures

To apply the patch:
  1. Make sure your installed version is at least 3.5.1. To check your version, login to GoAnywhere Services and access the menu item, Help > About. If you are not on version 3.5.1 then access the menu item Administration > Check for Updates and follow the instructions to upgrade to 3.5.1.
  2. After you confirm that your installation of GoAnywhere Services is at 3.5.1, contact Linoma Support by emailing Support@GoAnywhere.com and requesting the Poodle Security Patch.
  3. Extract the contents from the Security Patch to a folder of your choice on your PC. This will extract the release notes and a 2 folders containing 4 JAR files and 2 JSP files.
  4. Shutdown the GoAnywhere Services subsystem/service.
  5. Copy the files from step 2 to the system where GoAnywhere Services is installed. The source folder directly correlates to the target destination folder under the installation directly. i.e. the files under ‘/lib’ are to be installed under [INSTALL_DIR]/lib where [INSTALL_DIR] is the installation folder of GoAnywhere Services. Likewise, the file in ‘adminroot/admin/serviceconfig’ must be copied to [INSTALL_DIR]/adminroot/admin/serviceconfig. The target files already exist, so overwrite and replace these files when prompted.
  6. Start the GoAnywhere Services subsystem/service.

Login to GoAnywhere Services and navigate to the Help > About page. Make sure the version shows up as 3.5.5.

Please email support@goanywhere.com if you have any questions.
Rick Elliott
Lead Solutions Consultant
(402) 944.4242
(800) 949-4696
1 post Page 1 of 1