POODLE: Vulnerability in SSL 3.0 and its impact on Seclore FileSecure
What is POODLE ?
POODLE stands for Padding Oracle On Downgraded Legacy Encryption, a newly discovered vulnerability in SSL 3.0.
What is the scope of the vulnerability?
SSL 3.0 encryption uses either RC4 stream cipher or CBC mode block cipher. The impact of the vulnerability mentioned here is limited to CBC encryption used by SSL 3.0 in cases where the client-server communication can be modified by an attacker, also referred to as man-in-the-middle attacks.
How does the vulnerability affect my Seclore IRM Infrastructure?
This vulnerability does not affect Seclore FileSecure products (Policy Server, Desktop Client, Hot Folder, AppConnect, WebConnect etc.) since RC4 stream ciphers are utilized for SSL 3.0 compatibility. The peripheral components such as Apache web server and network load balancers where SSL connections are terminated on the server will require actions addressed below to ensure secure communication.
What actions are required to mitigate the risk on my Seclore IRM environment?
- No direct action is required with respect to Seclore products since RC4 stream ciphers are utilized between Seclore components such as Policy Server & Desktop Client.
- Ensure that the TLS_FALLBACK_SCSV mechanism is supported on the SSL endpoint. For instance, Apache web server implementations will need to update their respective OpenSSL packages to prevent a forced downgrade dance:
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
- Cipher configurations will need to be reviewed in case CBC block ciphers are supported; modifications will then be necessary to ensure that only RC4 stream ciphers are utilized in case older client browsers (e.g. Internet Explorer 6) that do not support TLS need to communicate with Apache web server. In order to check the existing supported ciphers, please use the following url & reach out toSeclore Support for any additional clarifications:
- For other network components such as network load balancers where SSL termination can occur, it is recommended to follow up with the product vendor.
- It is extremely essential not to disable SSL 3.0 at the current moment; doing so may disrupt product functionalities and induce unnecessary outages.
Note: The above advisory is of interim status and shall be updated as new information becomes available.