Information

A CVE-2014-3566 vulnerability in the SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.

You can check if your website is vulnerable using curl:

curl -v3 -X HEAD https://www.example.com

If you are NOT vulnerable, your output should look like:

curl: (35) SSL connect error

If you ARE vulnerable, you will see normal connection outputs, potentially including the line:

SSL 3.0 connection using ...

Disclaimer

The part of Parallels Business Automation - Standard (PBA-S) plugins forcibly uses SSLv3 in communications with external systems. As a result, disabling it may disturb the system.

To avoid this, run the following command on the PBA-S server before disabling SSLv3:

# wget http://download.pa.parallels.com/pbas/4.5/hotfixes/KB123164/installer.sh
# sh installer.sh

This script downloads and installs the following packages with a hotfix applied against the POODLE vulnerability:

  • hspc-infstr-manager
  • hspc-plesk

The following packages are only downloaded if they are installed:

  • hspc-plugin-dm-mit
  • hspc-plugin-pp-op-anet
  • hspc-plugin-pp-op-protx
  • hspc-plugin-pp-op-pxpost
  • hspc-plugin-pp-op-securepay
  • hspc-plugin-pp-op-worldpayinv

Resolution

The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol will completely mitigate it.

Please edit /etc/httpd/conf/hspc_ssl.conf, replacing:

SSLProtocol -ALL +SSLv3 +TLSv1

With:

SSLProtocol -ALL +TLSv1

Restart the httpd service to apply your changes:

service httpd restart

Internal content

If some node still unavailable and in hspc.log:

    [2014/10/17 03:18:54] [DEBUG] [72841] [HSPC::MT::Plesk::PleskGate::__send_request_to_agent] Sending packet to 213.246.49.100 : 8443 : /enterprise/control/agent.php
    [2014/10/17 03:18:54] [DEBUG] [72841] [HSPC::MT::Plesk::PleskGate::__send_request_to_agent] Final Packet=<packet version="1.3.5.1"><server><get_protos/></server></packet>
    [2014/10/17 03:18:54] [DEBUG] [72841] [HSPC::MT::Plesk::PleskGate::__send_request_to_agent] REPLY_DATA=
    [2014/10/17 03:18:54] [INFO] [72841] [HSPC::MT::Plesk::PleskGate::__send_request_to_agent] Error: empty data received from PleskAgent.
    [2014/10/17 03:18:54] [DEBUG] [72841] [HSPC::MT::Plesk::PleskGate::__send_request_to_agent] TRACE [05]: . . . . -> HSPC::MT::Plesk::PleskGate->__send_request_to_agent ()
    [2014/10/17 03:18:54] [DEBUG] [72841] [HSPC::MT::Plesk::PleskGate::init] TRACE [04]: . . . -> HSPC::MT::Plesk::PleskGate->init (hn_id=2; fast initialization: Yes; force_pwd=No)
    [2014/10/17 03:18:54] [INFO] [72841] [HSPC::MT::Plesk::find_plesk_gate] find_plesk_gate():: Error during init plesk for node #2 : Empty response received from PleskAgent

The following patched file may be can help: /usr/local/share/perl5/HSPC/MT/Plugin/PP/OP_IkPayboxDirectPlus.pm OP_IkPayboxDirectPlus.pm.