Still have questions?
- Contact our Supportteam.
- VersionOne Application Vulnerability Scan Repository
- Was VersionOne affected by Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability?
- Was VersionOne affected by the Adobe Flash Security Vulnerability?
- Was VersionOne affected by the FREAK SSL/TLS Vulnerability CVE-2015-0204
- Was VersionOne affected by the Heartbleed security vulnerability?
This vulnerability (CVE-2014-3566), named POODLE by its discoverers, allows the plaintext of secure connections to be calculated by a network attacker.
The vulnerability allows an attacker to compromise the encryption when using the SSLv3 protocol. An attacker can add padding to a request calculating the plaintext of encryption using the SSLv3 protocol. Newer browsers will default to newer more secure encryption protocols (e.g., TLSv1.2). But it is possible for malicious attackers to trigger conditions in many browsers that will force them to fall back to SSLv3. The end result of the vulnerability is that an attacker can force a downgrade to SSLv3 allowing traffic over an encrypted connection using the vulnerable protocol to be intercepted.
Our Content Delivery and Hosting Providers have completed the following mitigation measures for the SSL version 3.0 vulnerability.
Content Delivery Provider
To protect end user connections, SSL v3.0 has been disabled in favor of TLS. SSL v3.0 has also been disabled for connections from the content delivery service to VersionOne’s source servers. Together, these measures protect communications between end users and the VersionOne application from end-to-end.
Per our hosting provider, Rackspace, the SSLv3 module has been disabled on our load balancers. TLS is now the secure protocol which ensures privacy and data integrity between client/server applications