This section will document security issues and fixes for those issues.
A umask setting of 0027 in the shell startup file, typically ~/.bashrc when using the bash shell, will cause installation to fail because directories created by root will be inaccessible to the user ecuser.
This is also true of any files that are created as the root user under the /opt/msys/ecelerity/etc/conf directory.
To resolve this use a more permissive mask, for example umask 0022.
Another option is to chown ecuser:ecuser all new configuration files, or make them world readable. Likewise for directories.
The POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability attacks the TLS protocol and forces clients to downgrade to the SSLv3, which has no known secure cipher suites available. This allows an attacker to read information encrypted with this version of the protocol in plain text. Another part of the POODLE attack is exploiting weaknesses in the CBC mode of operation.
If you access the REST APIs via NGINX, enable GNUTLS in the TLS_Engine and disable SSLv3 to protect SMTP traffic. To do this, set the tls_ciphers configuration option to disable SSLv3 in your ecelerity.conf file:
TLS_Ciphers = "NORMAL:-VERS-SSL3.0"
For more information, see the GNUTLS website.
To fix this vulnerability in OpenSSL, make sure you are running Momentum 4.1.0.2 or later and set the tls_protocols configuration option to disable SSLv3 in your ecelerity.conf file:
TLS_Protocols = "+ALL:-SSLv3"