There is a new SSL vulnerability reported in mass media, dubbed “Poodle”. Poodle does not include a “patch” because it is a protocol deficiency, not an implementation bug. The good news is though that SSLv3 is very old and the only browser that still requires this is IE6 on Windows XP, both are absolutely out of date.
However, it seems that when SSLv3 is activated on a web server, an attacker might force client and server to use it and then subsequently decrypt the connection. We have made sure our stratodesk.com webservers do not accept SSLv3.
Ubuntu 12.04 and Ubuntu 14.04 support SSLv3 so we have added code to our 1.0-75 stratodeskva software package to explicitely override the Ubuntu defaults and disable SSLv3. If you use Stratodesk Virtual Appliance and are concerned about Poodle, please update to 1.0-75 or later.
If you are interested in how to secure any other (non-Stratodesk) Apache, check the links below – basically all you need to do is to add “SSLProtocol All -SSLv2 -SSLv3” into your SSL configuration.
References:
- https://www.openssl.org/~bodo/ssl-poodle.pdf
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
- http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
