Re: GOLDENDOODLE vulnerability found in Qlik Sense... - Page 2 - Qlik Community

thomsweet · ‎2019-11-28

Hello,

We got report about GOLDENDOODLE vulnerablity,

Here is report

Severity:	Medium
Vulnerability ID:	q038764
Source Type:	SERVER
Details:	Port: 443/tcp GOLDENDOODLE vulnerability found with ECDHE-RSA-AES256-SHA384 on TLSv1.2 The server returns valid data in response to valid padding with an invalid MAC ---------- ---------- ---------- VURIOUS preprocessing log for debugging and troubleshooting:
Port:	443/tcp
Layer:	Middleware
References:	Qualys Knowledgebase: https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities Bugtraq List: 107174, http://www.securityfocus.com/bid/107174
Generic Remediation Instructions:	Please refer to official github page TLS Padding Oracles for affected products and patch links. Patch: Following are links for downloading patches to fix the vulnerabilities: OpenSSL Security Advisory: OpenSSL
Generic Vulnerability Description:	A TLS padding oracle vulnerability is detected. If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. QID Detection Logic: This QID sends the multiple tls padding payloads to determine the vulnerability. Note: Qualys scanner version 11.1.24-1 or later is required to use this QID. Consequences: An attacker who can take a man-in-the-middle (MitM) position can exploit this vulnerability and gain access to encrypted communication between a client and server.

We're new to Qlik sense, how could we fix this issue?

Many thanks in advance.

--

Thom (FW)

Levi_Turner · ‎2020-08-03

I am not sure what other web apps that you're referring to. Personally I interact with Qlik Sense Enterprise, Apache, and Nginx most often. With the latter two using OpenSSL as their crypto provider and thus having application specific configs for configuring TLS and Cipher Suites.

As for the general problem, I am by no means a crypto expert, but as I understand it (i.e. https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities / https://www.tripwire.com/state-of-security/vert/goldendoodle-attack/ being good references), the *DOODLE suite of vulnerabilities come down to the use of the CBC ciphers on any TLS protocol lower than 1.3. So the fix for this are:

Use TLS 1.3 (exclusively)
Disable the CBC ciphers

TLS 1.3 support on Windows is fairly new (https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/) so the strongest option at this juncture is to go the (2) route. Even when (1) is viable from a technical perspective, it seems extraordinarily risky to my eyes to require this for a web app unless you have pretty rigorous control over the configuration of the clients who are attempting to connect to the web app. i.e. they run very up-to-date Client OSs, use modern browsers, etc.

Just my 2 cents on the matter.

HendrikJ · ‎2020-08-04

I am no crypto expert either, bt in the scenario you described, I agree that option number 2 is the most viable solution for now. Thanks for the help!

veera_a · ‎2024-10-28

@HendrikJ -Do you still has this issue in your environment ?
Thanks
Veer

GOLDENDOODLE vulnerability found in Qlik Sense June 2019