Is SBAdmin affected by CVE-2014-3566 (POODLE)?

ANSWER

---

Yes.

Rather than attempt to explain CVE-2014-3566 here, we recommend reviewing articles available online that provide expert details about security advisory CVE-2014-3566 (otherwise known as POODLE). We recommend this article published by Google who originally discovered the issue.

“This POODLE bites: Exploiting the SSL 3.0 fallback”

From our research into this published vunerability, we only see one area of the software that is affected. The SBAdmin web-based interface uses the lighttpd web server which does support SSLv3.0. We have two recommendations at this time to limit your exposure to this security threat; disable SSLv3.0 in the webserver configuration or disable the web interface entirely.

---

Update the sthttpd.conf file to disallow SSLv3.0

Add the following line after the ssl.engine = “enable” directive in your storix/config/sthttpd.conf file.
ssl.use-sslv3 = “disable”

Once you have saved your changes to the configuration file, restart the web service.

To restart the web interface

Linux & Solaris (Sys-V init)
# /etc/init.d/sthttpd restart

Linux (systemd)
# systemctl stop sthttpd
# systemctl start sthttpd

AIX
# kill -2 $(cat /storix/temp/sthttpd.pid)
# /usr/lpp/storix/bin/lighttpd -f /storix/config/sthttpd.conf

---

Disabling the web interface

If you are unable to edit this file or are not using the web interface, we recommend you unconfigure the web interface.

# stconfigweb -R

---