Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in RHUI 2.0 and 2.1

Solution Unverified - Updated 5 Aug 2024

Environment

Red Hat Update Infrastructure 2.0
Red Hat Update Infrastructure 2.1
rh-rhui-tools

Issue

Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in Red Hat Update Infrastructure
How to avoid impact to RHUI from CVE-2014-3566?
This issue is seen because a part of RHUA uses SSL 3.0 when communicating to the CDN to fetch listing files.
The following error message appears in the /root/.rhui/rhui.log file upon such failure:

Unexpected error caught at the shell level
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 86, in safe_listen
    self.listen(clear=first_run)
  File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 112, in listen
    Shell.listen(self)
  File "/usr/lib/python2.6/site-packages/rhui/common/shell.py", line 186, in listen
    item.func(*args, **item.kwargs)
  File "/usr/lib/python2.6/site-packages/rhui/tools/screens/repo.py", line 128, in add
    self.candidate_repo_manager.translate_entitlements()
  File "/usr/lib/python2.6/site-packages/rhui/tools/repo_candidates.py", line 72, in translate_entitlements
    mappings = self.cdn_api.expand_variables(e.download_url, cert.cert_filename)
  File "/usr/lib/python2.6/site-packages/rhui/tools/cdn_api.py", line 71, in expand_variables
    mappings = self._translate_next_variable({'' : url}, cert_filename)
  File "/usr/lib/python2.6/site-packages/rhui/tools/cdn_api.py", line 104, in _translate_next_variable
    substitutions = self._request_get(listing_url, cert_filename).split('\n')
  File "/usr/lib/python2.6/site-packages/rhui/tools/cdn_api.py", line 156, in _request_get
    server = self._server(cert_filename)
  File "/usr/lib/python2.6/site-packages/rhui/tools/cdn_api.py", line 223, in _server
    server.connect()
  File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect
    ret = self.connect_ssl()
  File "/usr/lib64/python2.6/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
    return m2.ssl_connect(self.ssl, self._timeout)
SSLError: sslv3 alert handshake failure

Resolution

Errata This content is not included.RHBA-2014:1715 for RHUI (2.1.3) has been released to disabled the usage of sslv3 in the underlying call and instead use TLS 1.x.
Disable SSLv3 in httpd as per Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in httpd

Root Cause

Red Hat Content Delivery Network (CDN) has disabled SSL 3.0 as way to mitigate the SSL 3.0 POODLE vulnerability, which causes errors when fetching listing files in RHUI.

Diagnostic Steps

The root cause of the problem is that the Red Hat Content Delivery Network disabled SSL 3.0 due to the POODLE vulnerability. RHUA has a piece of code which did required SSLv3, hence the issue described.

SBR

SysMgmt

Product(s)

Red Hat Update Infrastructure

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.