Skip to main content
System StatusContact Support
VersionOne Community

Was VersionOne affected by the Poodle Security Vulnerability?

Background

This vulnerability (CVE­-2014-3566), named POODLE by its discoverers, allows the plaintext of secure connections to be calculated by a network attacker.

The vulnerability allows an attacker to compromise the encryption when using the SSLv3 protocol. An attacker can add padding to a request calculating the plaintext of encryption using the SSLv3 protocol. Newer browsers will default to newer more secure encryption protocols (e.g., TLSv1.2). But it is possible for malicious attackers to trigger conditions in many browsers that will force them to fall back to SSLv3. The end result of the vulnerability is that an attacker can force a downgrade to SSLv3 allowing traffic over an encrypted connection using the vulnerable protocol to be intercepted.

Answer

Our Content Delivery and Hosting Providers have completed the following mitigation measures for the SSL version 3.0 vulnerability.

Content Delivery Provider

To protect end user connections, SSL v3.0 has been disabled in favor of TLS.  SSL v3.0 has also been disabled for connections from the content delivery service to VersionOne’s source servers. Together, these measures protect communications between end users and the VersionOne application from end-to-end.

Hosting Provider

Per our hosting provider, Rackspace, the SSLv3 module has been disabled on our load balancers.  TLS is now the secure protocol which ensures privacy and data integrity between client/server applications