POODLE SSLv3 Security Alert October 2014

Summary

Epicor has been keeping apprised of a vulnerability in the SSL 3.0 protocol, which has been assigned CVE-2014-3566. All implementations of SSL 3.0 are affected.

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.0. It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).

Because it’s a vulnerability in the protocol, not a bug in the implementation, there is no “patch,” so SSLv3 should be disabled in all client and server software.

Epicor’s Response

There are functions of the Eclipse server software that initiate HTTPS connections to external servers (e.g. for credit card processing). Those connections previously allowed SSLv3, so we have updated the code to explicitly require TLS connections. The patch (DNV616) can be applied manually, or it will be included by default in the customer’s next point upgrade.

We have also reviewed the Eclipse application server and confirmed that SSLv3 is already disabled in the release, which uses TLS by default.

Recommended Customer Actions

We recommend that customers request the patch or a point upgrade to a release of Eclipse with SSLv3 client functionality disabled.

We also recommend that any customers running external web servers (e.g. web commerce, mobile) disable SSLv3 on IIS using Microsoft’s “fix it” tool.

FAQ

Q. How can I verify that my Solar application server (or any other secure web service) is not vulnerable?
A. Run the command below:

openssl s_client -connect HOSTNAMEORIPADDRESS:PORT -ssl3

For example, the following output, run against a the Solar application server running on the local server, shows that the service is not vulnerable:

[root@rs6k ~]# openssl s_client -connect localhost:2443 -ssl3
CONNECTED(00000003)
25211:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284:

How do I display shell command history with date and time under UNIX or Linux operating systems?

If the HISTTIMEFORMAT is set, the time stamp information associated with each history entry is written to the history file, marked with the history comment character. 

Defining the environment variable as follows:

[root@hostname ~]# HISTTIMEFORMAT=”%m/%d/%y %T “

 

Where,  %d – Day  %m – Month  %y – Year  %T – Time

To see history type: history

[root@hostname ~]# history

How do I add or delete contacts under my Epicor support account?

In order to add or delete contacts, you must have System Admin privileges in (iSupport).  Then follow these steps:

1)    When you first enter our site, you are presented with the following screen.  At the top of this screen, you will see “My account”.  Click on this:

2)    Click on either of these User Maintenance choices:

3)    Select one of the options below:

4)    If you select “Assign Permissions”, the following screen appears where you can select the level of authority for each user:

Bash Security Alert September 2014

Summary

A security vulnerability in the bash shell, the command-line shell used by the Linux operating system, could leave systems running those operating systems open to exploitation by specially crafted attacks.

Epicor’s Response

We have reviewed the Eclipse software and verified that none of our products are directly affected by this vulnerability.

Customer Action

While the Eclipse software is not directly affected by this vulnerability, we highly recommend that our customers take the following actions to safeguard their servers:

  1. Install the updated bash software update as soon as possible, using the command
    yum update bash
  2. Do not make the Linux server directly accessible on the Internet. Use a VPN to remotely access the server.
  3. Continue to install Red Hat software updates on a regular basis.

For more information, please read the following articles on Red Hat’s website:

FAQ

Q: Are web services that indirectly access the Linux database server affected?

A. No. Eclipse doesn’t use the affected Apache web server on Linux. Web services that use fastcgi (e.g. WOE, Web Integration) that run on the Windows IGATE server access the UniVerse SOCKET server, which isn’t affected. Web services that access JBoss on the database server (e.g. POD, JM) aren’t affected.

Q. The yum update tool is not working. Can I manually install the updated bash software?

A. Yes, you may use one of the alternative mirrors below:

For servers running RHEL 5:

rpm -Uvh http://f.cl.ly/items/0v0V430R0b3a3j3M4344/bash-3.2-33.el5_11.4.x86_64.rpm

For servers running RHEL 6:

rpm -Uvh http://f.cl.ly/items/3p083T2f1j3b191x423d/bash-4.1.2-15.el6_5.2.x86_64.rpm

Q. How do I test to see if my server is vulnerable?

A. Run this command:

env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

If you see the word “vulnerable” echoed back, then your system needs to be updated. If you only see “this is a test,” then your system has been patched.