Skip to main content

lacework-global-183

Ensure ELB is not affected by POODLE Vulnerability (CVE-2014-3566)

Description

It is recommended that Elastic Load Balancers do not use the vulnerable Protocol-SSLv3 SSL cipher for session encryption. The Protocol-SSLv3 SSL cipher has the known Padding Oracle On Downgraded Legacy Encryption (POODLE) CVE-2014-3566 vulnerability. A violation is reported when the Protocol-SSLv3 SSL cipher is configured for ELBs.

Remediation

  1. Log in to the AWS Management Console.

  2. Click Services.

  3. Select Compute > EC2.

  4. In the left frame of the EC2 Dashboard, select LOAD BALANCING > Load Balancers.

  5. Select the Load Balancer that has the violation reported by Lacework.

  6. At the bottom of the page, select the Listeners tab.

  7. Click Edit.

  8. Under Load Balancer Protocol, select HTTPS.

  9. In the Cipher column, click Change.

  10. If using a predefined security policy, in the Predefined Security Policy drop-down select one of the recommended SSL ciphers for session encryption:

    ELBSecurityPolicy-2016-08, ELBSecurityPolicy-TLS-1-1-2017-01, or ELBSecurityPolicy-TLS-1-2-2017-01.

    If using a custom security policy, deselect Protocol-SSLv3 from the list of options under the heading 'SSL Protocols'.

  11. Click save to confirm the change.

  12. Click save again to finish updating the listener.