Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in CUPS

Solution Verified - Updated 5 Aug 2024

Environment

Red Hat Enterprise Linux (RHEL) 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Common Unix Printing System (CUPS) 1.3.7
Common Unix Printing System 1.4.2
Common Unix Printing System 1.6.3

Issue

How do I prevent CUPS from being impacted by CVE-2014-3566 (POODLE)?
How do I disable SSLv3 in CUPS?

Resolution

Red Hat has added the ability to disable SSLv3 in CUPS in updates to RHEL 5, 6, and 7. Please see the following table for the version of CUPS in which this feature has been implemented:

RHEL Ver.	Resolved in CUPS Ver.	Bugzilla or Erratum
RHEL 5	cups-1.3.7-32.el5_11	RHBA-2015:0064-2
RHEL 6	cups-1.4.2-72.el6	RHBA-2015:1346-1
RHEL 7	cups-1.6.3-22.el7	RHBA-2015:2386-1

The updates disable SSLv3 and RC4 support by default. For users who need to continue using SSLv3, an SSLOptions configuration directive has been added to the CUPS daemon configuration file (/etc/cups/cupsd.conf) and the CUPS client configuration file (/etc/cups/client.conf).

In /etc/cups/cupsd.conf, the SSLOptions directive can be set as follows:

SSLOptions None
SSLOptions AllowSSL3
SSLOptions AllowRC4

The SSLOptions directive specifies additional SSL/TLS protocol options to use for encrypted connected. By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. The AllowRC4 option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. The AllowSSL3 option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.

In /etc/cups/client.conf, the SSLOptions directive can be set as follows:

SSLOptions None
SSLOptions AllowSSL3
SSLOptions AllowRC4

Sets encryption options. By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. The AllowRC4 option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. The AllowSSL3 option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.

Root Cause

Previously, CUPS did not provide a way of disabling Secure Sockets Layer (SSLv3) support while keeping other secure protocols enabled. This left CUPS users vulnerable to the POODLE attack (CVE-2014-3566, discussed at https://access.redhat.com/articles/1232123), and needing to deploy the stunnel utility for mitigation (as in https://access.redhat.com/solutions/1234843).

SBR

Services

Product(s)

Red Hat Enterprise Linux

Components

cups

Category

Secure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.