SSL version 3 is no longer secure. Recently, a new vulnerability in the SSL v3 protocol called the ‘Poodle attack’ was discovered by folks at Google. At Couchbase, since we take the security of our products seriously, we wanted you to be aware of the risk posed by the vulnerability and what actions you must take.
What is this bug all about?
The poodle attack is a problem in the CBC encryption scheme in the SSL 3 protocol. Even though, many systems now use TLS (the successor of SSL), the poodle attack arises typically when clients downgrade their cryptographic protocol to SSL 3.0.
Impact assessment for Couchbase server and clients
Couchbase’s cluster manager is written in Erlang. The SSL implementation in Erlang (used for XDCR replication) does not implement the version downgrade (which makes it safe from poodle), but it still does not disable SSL 3. For this reason, Couchbase 3.0.1 will disable SSLv3 for management, views and memcached ports. The code to disable it is already in the nightly build, but we are still working on it and the build will have to pass our quality gates before it is officially released.
Now is a good time to think about how you will upgrade your front-end client apps and other infrastructure components that still rely on SSL v3. For libcouchbase clients (and SDKs depending on libcouchbase, such as Ruby, PHP, and Python), upgrading to libcouchbase 2.4.3 will ensure that only the TLSv1 and above protocol is used. The 2.0 Java client uses TLS by default when talking to the server and the 2.0 .NET GA client will use TLS by default.
For our mobile products, Couchbase Lite and Sync Gateway –
Couchbase Lite for iOS 1.0.3 has already disabled SSLv3
Sync Gateway will disable SSL in the 1.0.3 release, and
Java/Android and C#/.NET will disable SSL in the 1.0.4 release
Securing the stack
To secure your entire stack, here are some other things that you might also want to check –
Typically, SSL implementations are present on third-party proxy servers like Apache, nginx, and HAProxy. If your Couchbase Server is behind such a server that uses SSL v3, you should accordingly patch up your servers and restart these services. For a detailed guidance on how to deal with poodle on different servers and browsers, head to Scott Helme's blog post.
If you are running Couchbase on Amazon EC2, you might want to check out the latest amazon security advisory here.
Need more information about the poodle bug?
Security advisory paper by Google on the “Poodle attack” –
Some questions asked by users in the Erlang community – http://erlang.org/pipermail/erlang-questions/2014-October/081315.html
Thank you for your continued support, and stay safe!