Vulnerability found on OpenFire version 3.8.2 installed on windows 2008 R2 server
Info:
TLS 1.0 (and higher) and SSL 3.0 (and higher) are vulnerable to man-in-the-middle style attacks.
The flaw is specific to the renegotiation phase within the protocol. An attacker can potentially inject arbitrary plaintext into an application’s protocol stream. This action can lead to numerous results, including attacks on Certificate Authentication mechanisms. This issue affects multiple platforms/vendors/applications which use the affected protocols.
General fix:
Several vendors have released httpd update packages. The OpenSSL Repository also contains an update for OpenSSL.
It should be noted that initial patches simply mitigate the problem by disabling renegotiation rather than solving the problem completely.
well obviously it’s because he’s running on Windows!
lol, jk of course! – in seriousness though, I agree with Flow, looks like a PCI-DSS Vuln Scanner output. Although our’s at my company has never failed (yet). We use Ambrian TrustWave/TrustKeeper…
Summary:
TLS 1.0 and SSL 3.0 contain a man-in-the-middle renegotiation vulnerability.
Info:
TLS 1.0 (and higher) and SSL 3.0 (and higher) are vulnerable to man-in-the-middle style attacks.
The flaw is specific to the renegotiation phase within the protocol. An attacker can potentially inject arbitrary plaintext into an application’s protocol stream. This action can lead to numerous results, including attacks on Certificate Authentication mechanisms. This issue affects multiple platforms/vendors/applications which use the affected protocols.
General Fix:
Apply the appropriate patch from your vendor. Several vendors have released httpd update packages.
The OpenSSL Repository also contains an update for OpenSSL.
It should be noted that initial patches simply mitigate the problem by disabling renegotiation rather than solving the problem completely.
Domino
Starting in Domino versions 8.0.2 Fix Pack 6, 8.5.1 Fix Pack 4, and 8.5.2, you can disable SSL renegotiation by adding the following parameter to the notes.ini: