In October a vulnerability known as POODLE, affecting a core networking protocol (SSL 3.0), was disclosed. This vulnerability is an industry-wide vulnerability, meaning the risk is not specific to a single operating system or browser. The vulnerability affects the SSL 3.0 protocol itself, therefore any service using SSL 3.0 certificate for secure authentication is at risk.
 
Since the disclosure of the vulnerability, Navantis has been asked by several clients to identify the risk of this vulnerability to their business. While the vulnerability is not considered high risk, we do recommend that our customers take proactive measures to block potential threats. Major vendors, like Microsoft, have offered simple workarounds which will help block known attack vectors until a security update is available.
 
It is recommended that clients modify their servers to disable SSL 3.0 and migrate to more secure security protocols such as TLS 1.0, TLS 1.1 or TLS, 1.2. This means, however, that clients using older versions of browsers that do not support more modern security protocols may have issues connecting to their services. Which is why we recommend that all clients assess the impact of disabling SSL 3.0. See Microsoft’s Security Advisory for more information regarding impacted software and their suggested actions.
 
Within our datacenter and hosting environments we have been modifying our web servers to disable SSL 3.0 where possible. Due to mitigating factors and the difficulty to exploit this vulnerability, Navantis will not disable SSL 3.0 on servers we host and/or manage without being directed to do so from our clients. We recommend clients evaluate their end users connectivity procedures because users using IE 6 or similar compatible browsers will no longer be able to connect to our web-based services once SSL 3.0 has been disabled.
 
For assistance in assessing the risk associated to this vulnerability in both your systems and in your hosted solutions in our OnCloud Data Centre contact sales@navantis.com and we will engage one of our security experts to assess the risk to your environment and to your customers.

For more information regarding this vulnerability, please refer to:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
https://technet.microsoft.com/en-us/library/security/3009008.aspx

For our clients for whom we host and/or manage web based solutions, we will be offering an information session (delivered via Lync) regarding this vulnerability to discuss the risks, and impact of addressing the vulnerability by modifying server settings and/or client settings. If you are interested in attending this session, please contact your Service Manager. Depending on interest, more than one session may be scheduled.