POODLE Vulnerability Update: Ensure your data Stays Secure
On October 14th, 2014, Google announced a vulnerability in the design of SSL version 3.0 (CVE-2014-3566), nicknamed POODLE (Padding Oracle On Downgraded Legacy Encryption). The SSLv3 protocol is used in OpenSSL and other commercial products. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker and has an overall CVSS severity rating of MEDIUM.
In essence the POODLE weakness allows an attacker to steal the information protected, under normal conditions, by the SSL encryption used to provide communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs).
EFT supports SSL connections for HTTPS and FTPS. For broad client support and backward compatibility, SSLv3 can be enabled on EFT. The SSLv3 protocol is vulnerable to the POODLE exploit. It is highly recommended, therefore, that you verify and modify the SSL configuration of EFT as needed to protect your information assets. Please see here for the workaround.
Mail Express also leverages SSLv3 in its current and historical versions. SSLv3 can be disabled via a configuration file or by enabling FIPS compatibility mode in the administrator UI. Customers can manually change their configuration as described here.
Both WAFS and DMZ Gateway are not vulnerable to POODLE exploits.
Ipswitch File Transfer Solutions
MOVEit Managed File Transfer and WS_FTP Server is vulnerable to the POODLE exploit. To protect against an attack, Ipswitch recommends that all customers disable SSLv3 for all services and clients.
Please note – These products rely solely on Microsoft Windows to provide SSL/TLS services to the application. Therefore, disabling SSL 3.0 involves disabling it for the whole system. If the machine is not dedicated to these Ipswitch products, you may want to consider the impact of these changes on other applications running on the server.
JSCAPE MFT Server
The Poodle vulnerability (CVE-2014-3566) has been resolved in the latest version of JSCAPE MFT Server (188.8.131.52) by disabling the SSLv3 protocol.
Customers using previous versions of JSCAPE MFT Server are encouraged to upgrade to the latest version.
For instructions on disabling SSLv3 or additional assistance please contact the JSCAPE Help Desk directly for a prompt reply.
If you have any queries please don’t hesitate to get in touch with one of the team.