Update #1: For sftp users using RHEL 8 with the curl utility version curl-7.61.1-34.el8 for PDA file transfers.
The PDA Development team has discovered an anomaly with RHEL 8 and curl version curl-7.61.1-34.el8.
The Red Hat Network (RHN) has published a related bug report [RHEL-44684] and also published an available update for 'curl' [and its dependencies] to version 7.61.1-34.el8_10.2 to resolve the issue.
If your environment meets the criteria above and begins to experience curl based file transfer issues with PDA after the PDA release 4.8 upgrade currently scheduled for 11/12/2024 – 11/14/2024, we recommend reviewing the RHN guidance above to update your curl configuration.
At this time we do not know if any other curl variants are affected by this issue, just the RedHat versions in our baseline.
Topic: Planned PDA SFTP Vulnerable Cypher Removal activity at the NSOF CBU and OPS sites.
Date/Time Issued: October 29, 2024 1700Z
Product(s) or Data Impacted: Products transferred to/from PDA using the SFTP client protocol.
Date/Time of Initial Impact: October 23, 2024 1400Z for the PDA CBU site
November 14, 2024 1400Z for the PDA OPS site
Date/Time of Expected End: This is expected to be a permanent change.
Length of Event: This change will be effective with PDA Release 4.8.
Details/Specifics of Change: PDA Release 4.8 will update available Key Exchanges, Signatures, Ciphers and MAC Algorithms which are used during SFTP Server handshake. The purpose of this change is to remove vulnerable ciphers.
If you connect to PDA SFTP servers to push or pull files as a client this change may affect you. Please see ‘Recommended Actions’ below.
Important Dates - *Note Critical Weather may cause the CBU and/or OPS date(s) to change.
This change is installed in our Integration and Test (I&T) environment as of August 28, 2024.
This change is scheduled to be installed in the PDA CBU environment on October 23, 2024.
This change is scheduled to be installed in the PDA OPS environment on November 14, 2024.
Users should verify their SFTP connectivity to the PDA I&T environment ASAP or the CBU environment before November, 2024.
Specifics of the change: Only the following Ciphers, MACs, Key Exchanges and Signatures will be compatible after the PDA Release 4.8 update:
Ciphers:
MACs:
Key Exchanges:
Signatures:
Users with SFTP clients that connect to PDA SFTP Servers should verify they support one of the usable algorithms listed above.
If you are one of these users please respond and provide lists of supported Ciphers, MACs, Key Exchanges, and Signatures and let us know if you expect to be impacted by this update. Email your information and/or questions to PDA_DHS@NOAA.gov
Please also mark your calendars for the deployment dates to verify connection.
Interruptions to processing are not expected during this activity. The PDA Support team will be monitoring the environment to quickly address and assist to remediate any issues.
Contact Information for Further Information: ESPC Operations at ESPCOperations@noaa.gov and 301-817-3880.
Web Site(s) for Applicable Information: https://www.ospo.noaa.gov/Products/ppp/monitor/index.html
This message was sent by ESPC.Notification@noaa.gov. You have been sent this and other notifications because you have opted in to receive it. If for any reason, you wish to unsubscribe, please contact ESPC Help Desk at ESPCOperations@noaa.gov or (301) 817-3880. Please note: it may take up to two business days to process your unsubscribe request.