Advisory on SSL3 ‘Poodle’ vulnerability

The “Poodle” vulnerability, released on October 14th, 2014, is an attack on the SSL 3.0 protocol. It is a protocol flaw and every implementation of SSL 3.0 suffers from it.

Note that we are talking about the old SSL 3.0, not TLS 1.0 or later. The TLS versions are not affected (neither is DTLS) by the vulnerability.

Are our gateways vulnerable to the Poodle attack ?

The attack scenario requires the attacker to be able to inject data of their own, and to intercept the encrypted bytes. The only plausible context where such a thing can happen is in a Web browser. Therefore, Poodle is an attack on the client, not on the server, which means our gateways are not technically ‘vulnerable’ to the attack.

However, if there is concern that the administrator’s web browser may be ‘vulnerable’ to this attack when accessing our admin GUI, the administrator can choose to disable SSL 3.0 support in their browser or upgrade their browser to the latest version which has patched this vulnerability.

As a precautionary measure, SSL 3.0 support will also be removed from our gateways in future during our regular software updates cycles.