Fix CVE-2014-3566 on multiple Apache web servers with Perl

What if you have a bunch of configuration files to update in order to fix POODLE: SSLv3 vulnerability (CVE-2014-3566)¬†? ¬†If you don’t have a configuration management system to help with this, you could use an easy perl one liner which you’ll see can come in handy in a ton of situations. ¬†Specifically, we’ll be looking at how to fix some Apache httpd configs.

If you’re like me, you probably already have SSLv2 disabled in your configuration so all we need to do is modify the existing “-SSLv2” configuration to include disabling SSLv3.

The following command will replace all entries of “-SSLv2” with “-SSLv2 -SSLv3”, disabling both SSL versions 2 and 3:

[root@vmhacks.com ~]# perl -pi -e 's/\-SSLv2/\-SSLv2 \-SSLv3/g' /etc/httpd/conf.d/*

[root@vmhacks.com ~]# service httpd restart

So what if you want to run this on a bunch of systems? just list all your systems in a file and run it through a shell for loop:

[maxmouse@vmhacks.com ~]$ for i in `cat SERVER.LIST`; do echo "SERVER: $i"; ssh -Aqt $i sudo su - -c \'perl -pi -e 's/\-SSLv2/"-SSLv2 -SSLv3"/g' /etc/httpd/conf.d/*\' ;echo " ";done

Enjoy
Mm.,