Information
A CVE-2014-3566 vulnerability in the SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.
You can check if your website is vulnerable using curl:
curl -v3 -X HEAD https://www.example.com
If you are NOT vulnerable, your output should look like:
curl: (35) SSL connect error
If you ARE vulnerable, you will see normal connection outputs, potentially including the line:
SSL 3.0 connection using ...
Disclaimer
The part of Parallels Business Automation - Standard (PBA-S) plugins forcibly uses SSLv3 in communications with external systems. As a result, disabling it may disturb the system.
To avoid this, run the following command on the PBA-S server before disabling SSLv3:
# wget http://download.pa.parallels.com/pbas/4.5/hotfixes/KB123164/installer.sh
# sh installer.sh
This script downloads and installs the following packages with a hotfix applied against the POODLE vulnerability:
- hspc-infstr-manager
- hspc-plesk
The following packages are only downloaded if they are installed:
- hspc-plugin-dm-mit
- hspc-plugin-pp-op-anet
- hspc-plugin-pp-op-protx
- hspc-plugin-pp-op-pxpost
- hspc-plugin-pp-op-securepay
- hspc-plugin-pp-op-worldpayinv
Resolution
The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol will completely mitigate it.
Please edit /etc/httpd/conf/hspc_ssl.conf
, replacing:
SSLProtocol -ALL +SSLv3 +TLSv1
With:
SSLProtocol -ALL +TLSv1
Restart the httpd service to apply your changes:
service httpd restart
Internal content
If some node still unavailable and in hspc.log:
[2014/10/17 03:18:54] [DEBUG] [72841] [HSPC::MT::Plesk::PleskGate::__send_request_to_agent] Sending packet to 213.246.49.100 : 8443 : /enterprise/control/agent.php
[2014/10/17 03:18:54] [DEBUG] [72841] [HSPC::MT::Plesk::PleskGate::__send_request_to_agent] Final Packet=<packet version="1.3.5.1"><server><get_protos/></server></packet>
[2014/10/17 03:18:54] [DEBUG] [72841] [HSPC::MT::Plesk::PleskGate::__send_request_to_agent] REPLY_DATA=
[2014/10/17 03:18:54] [INFO] [72841] [HSPC::MT::Plesk::PleskGate::__send_request_to_agent] Error: empty data received from PleskAgent.
[2014/10/17 03:18:54] [DEBUG] [72841] [HSPC::MT::Plesk::PleskGate::__send_request_to_agent] TRACE [05]: . . . . -> HSPC::MT::Plesk::PleskGate->__send_request_to_agent ()
[2014/10/17 03:18:54] [DEBUG] [72841] [HSPC::MT::Plesk::PleskGate::init] TRACE [04]: . . . -> HSPC::MT::Plesk::PleskGate->init (hn_id=2; fast initialization: Yes; force_pwd=No)
[2014/10/17 03:18:54] [INFO] [72841] [HSPC::MT::Plesk::find_plesk_gate] find_plesk_gate():: Error during init plesk for node #2 : Empty response received from PleskAgent
The following patched file may be can help: /usr/local/share/perl5/HSPC/MT/Plugin/PP/OP_IkPayboxDirectPlus.pm
OP_IkPayboxDirectPlus.pm.