Customer Alert: POODLE Vulnerability

By | October 16th, 2014|Uncategorized|

On October 14, 2014, three Google researchers announced the details of a vulnerability in the design of SSL version 3 named the POODLE (Passing Oracle On Downgraded Legacy Encryption) vulnerability. This vulnerability affects all implementations of SSLv3.0 protocol, but does not affect the newer encryption mechanism known as TLS (Transport Security Layer). Under the right conditions, the POODLE vulnerability would allow a cyber-criminal to hijack and decrypt the session cookie that identifies your browser to a service, and then take control of your accounts without needing your password. The POODLE vulnerability is being considered less severe than Heartbleed and Shellshock, since in order to exploit the vulnerability you must be running JavaScript, and the attacker has to be on the same network as you.

Secure Sockets Layer (SSL) protocol is primarily used to encrypt traffic between a browser and website.

Google’s security team has recommended that businesses disable SSLv3.0 immediately and use TLS 1.1 or 1.2 in order to avoid the problem. As an individual, it is recommended that you disable SSLv3.0 in your browser immediately to secure yourself when surfing websites that still support SSLv3.0. There currently is no patch for this, and SSLv3.0 is considered to have reached the end of its useful life and should be retired.

CSID has disabled SSLv3.0 across all our network traffic. We strongly advise that CSID customers take similar action to immediately disable SSLv3.0 in your environments and use an alternative encryption mechanism.

For more information on the POODLE vulnerability, visit the Red Hat Security Blog.