On October 14, 2014, security experts alerted the general public to a flaw in an obsolete but still-used SSL protocol (SSLv3).
The "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack can force a connection to "fallback" to SSL 3.0, where it is then possible to steal cookies, which are small data files that enable persistent access to an online service. If stolen, a cookie could allow an attacker access to someone's Web-based email account, for example.
It's important to know that this flaw is most likely present in all servers and is not specific to the cPanel software. In addition, this vulnerability does not appear to affect SSH and FTP services. Regardless, we recommend that you update your server as soon as possible to address this vulnerability.
As of 10/22/2014 cPanel has released versions of cPanel to disable SSLv3. These versions are:
11.46.0.9
11.44.1.19
Our changes introduced in the above versions disable SSLv3 support by default; however, in order for those changes to take effect through the update process, the services must be restarted. If you are currently running one of the above versions or later, or once you have upgraded your server, you will need to follow the below steps to ensure that SSLv3 is properly disabled.
In addition, if you have already performed manual configuration changes on your server to disable SSLv3, you will need to revert those changes.
In order to identify the version of cPanel you are running, please log into WHM as root and identify the version in the top right of the WHM interface.
Upgrade instructions can be found here:
http://documentation.cpanel.net/dis...testVersion-HowtoupdateyourcPanel&WHMsoftware
====
To disable SSLv3 once your server has been upgraded to one of the supported versions listed above:
For Apache:
1. Go to WHM => Service Configuration => Apache Configuration => Global Configuration.
2. SSL/TLS Cipher Suite (the second option, not "SSL Cipher Suite") should contain “All -SSLv2 -SSLv3”.
3. Go to the bottom of the page, and select the Save button to restart the service.
For LiteSpeed:
Update to LiteSpeed version 4.2.18.
For more information about Litespeed & POODLE:
LSWS 4.2.18 Released
Note about Mail Servers:
The POODLE attack requires the client to retry connecting several times in order to downgrade to SSLv3, and typically only browsers will do this. Mail Clients are not as susceptible to POODLE. However, users who want better security should switch to Dovecot until we upgrade Courier to a newer version.
For cpsrvd:
1. Go to WHM => Service Configuration => cPanel Web Services Configuration
2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3".
3. Select the "Save" button at the bottom.
For cpdavd:
1. Go to WHM => Service Configuration => cPanel Web Disk Configuration
2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3".
3. Select the "Save" button at the bottom.
For Dovecot:
1. Go to WHM => Service Configuration => Mailserver Configuration.
2. SSL Protocols should contain “!SSLv2 !SSLv3”. If it does not, replace the text in this field.
3. Go to the bottom of the page, and select the Save button to restart the service.
For Courier:
Courier has released a new version to mitigate this as of 10/22, until we have an opportunity review, test, and publish the new version of Courier please switch to Dovecot for enhanced security.
For Exim:
1. Go to Home » Service Configuration » Exim Configuration Manager
2. Under Advanced Editor, look for 'openssl_options'.
3. Make sure the field contains "+no_sslv2 +no_sslv3".
4.Go to the bottom of the page, and select the Save button to restart the service.
====
To revert any manual changes you may have made to mitigate POODLE prior to the 11.46 upgrade:
For Apache:
1. Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2. Select a version or All Versions.
3. Remove the following lines from the text box:
SSLHonorCipherOrder On
SSLProtocol +All -SSLv2 -SSLv3
4. Press the Update button to rebuild your Apache configuration.
For LiteSpeed:
No changes are necessary if you are using LiteSpeed version 4.2.18.
For cpsrvd:
1. Go to WHM => Service Configuration => cPanel Web Services Configuration
2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3".
3. Select the "Save" button at the bottom.
For cpdavd:
1. Go to WHM => Service Configuration => cPanel Web Disk Configuration
2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3".
3. Select the "Save" button at the bottom.
For Dovecot:
No change is required.
For Courier:
The POODLE attack requires the client to retry connecting several times in order to downgrade to SSLv3, and typically only browsers will do this. Mail Clients are not as susceptible to POODLE. However, users who want better security should switch to Dovecot until we upgrade Courier to a newer version.
For Exim:
1. Go to WHM => Service Configuration >> Exim Configuration Manager >> Advanced Editor.
2. Go to SECTION: Config at the top.
3. Search for openssl_options.
4. Ensure that this setting is set to "+no_sslv2 +no_sslv3" which is the cPanel Default.
5. Go to the bottom of the page, and select the Save button.
====
For major versions lower than those listed above, please review our documentation on adjusting cipher protocols here:
http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols
Please let us know if you have any questions about this procedure or about the vulnerability in general.
Thank you.
