In October a vulnerability known as POODLE, affecting a core networking protocol (SSL 3.0), was disclosed. This vulnerability is an industry-wide vulnerability, meaning the risk is not specific to a single operating system or browser. The vulnerability affects the SSL 3.0 protocol itself, therefore any service using SSL 3.0 certificate for secure authentication is at risk.
Since the disclosure of the vulnerability, Navantis has been asked by several clients to identify the risk of this vulnerability to their business. While the vulnerability is not considered high risk, we do recommend that our customers take proactive measures to block potential threats. Major vendors, like Microsoft, have offered simple workarounds which will help block known attack vectors until a security update is available.
It is recommended that clients modify their servers to disable SSL 3.0 and migrate to more secure security protocols such as TLS 1.0, TLS 1.1 or TLS, 1.2. This means, however, that clients using older versions of browsers that do not support more modern security protocols may have issues connecting to their services. Which is why we recommend that all clients assess the impact of disabling SSL 3.0. See Microsoft’s Security Advisory for more information regarding impacted software and their suggested actions.
Within our datacenter and hosting environments we have been modifying our web servers to disable SSL 3.0 where possible. Due to mitigating factors and the difficulty to exploit this vulnerability, Navantis will not disable SSL 3.0 on servers we host and/or manage without being directed to do so from our clients. We recommend clients evaluate their end users connectivity procedures because users using IE 6 or similar compatible browsers will no longer be able to connect to our web-based services once SSL 3.0 has been disabled.
For assistance in assessing the risk associated to this vulnerability in both your systems and in your hosted solutions in our OnCloud Data Centre contact sales@navantis.com and we will engage one of our security experts to assess the risk to your environment and to your customers.
For more information regarding this vulnerability, please refer to:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
https://technet.microsoft.com/en-us/library/security/3009008.aspx
For our clients for whom we host and/or manage web based solutions, we will be offering an information session (delivered via Lync) regarding this vulnerability to discuss the risks, and impact of addressing the vulnerability by modifying server settings and/or client settings. If you are interested in attending this session, please contact your Service Manager. Depending on interest, more than one session may be scheduled.
Joseph Sgandurra, a self-proclaimed IT junkie in his youth has grown to understand that IT is not made of shiny technology alone. Maturing IT and its delivery through well-constructed and repeatable standards and processes can elevate an IT organization from a "necessary evil" to a equal "partner" at the management table where direction and decisions are made that will impact the business. After 25 years in IT spanning from data-entry to Datacenter management, from Service Desk to Consulting, from management to design and architecture, Joseph has leveraged his understanding and knowledge to help IT organizations improve and capitalize on their current investments and better service their customers. An ITIL v2 Master and v3 Expert, along with MSCE, MOFF Trainer, MCT and CTT, Joseph is well versed in operations, training and communications to help deliver the message to all levels within a business; from system operators to IT and Business management to CxO's.
(647) 258-9031
info@navantis.com
