Security Update: Poodle SSLv3 Vulnerability
Recently Google researchers identified a security flaw in Version 3 of the SSL protocol. The attack has been named POODLE (“Padding Oracle On Downgraded Legacy Encryption”) for easy reference.
This impacts web servers which are still configured to respond on the SSL 3 protocol.
Vulnerability information
The “POODLE” vulnerability was identified due to an exploit found in the way SSLv3 protocol handles certain requests.
This vulnerability can be exploited by attackers who have the ability to modify network transmissions between the browser and the target server. This could lead to an attacker obtaining information that would normally be encrypted over SSL.
For this exploit to be utilised an attacker would need to have the ability to force a browser to make an SSL request, and an ability to modify network traffic between the browser and the target server.
This affects both Linux and Windows based servers if you are running a web server, whether that is,
- Apache
- Litespeed
- Nginx
- IIS
To see if your website (server) is vulnerable simply head over to the following URL, https://www.tinfoilsecurity.com/poodle, and enter the SSL address (can be a domain name or IP address) of your server.
The interesting fact here is that the majority of web based applications and services do not use SSL v3 anymore, other protocols such as TLS are now used. So in most cases SSL v3 is enabled, but not required.
You can read more here on Google blog post about the exploit.
What have we done?
Upon first being alerted to this vulnerability we patched all core and non-core servers, including our Shared / Reseller servers. The majority of our apache based servers were already configured to not use SSL v3.
We checked our Managed VPS product and confirmed they were not vulnerable, so no further action was taken for those services.
We worked with some software vendors whom were using SSL v3 (surprisingly!) to ensure they were developing a patch to remove this support. We have since patched the software that was affected.
What should you do?
If you are a customer on our Web Hosting or Reseller Hosting products, you can disregard this notice as we have already patched your services.
If you are on a self-managed VPS or dedicated server service we recommend you take action and make the necessary changes.
We’ve prepared a Knowledge Base article for you to follow: https://help.crucial.com.au/hc/en-gb/articles/203309684
If you are on a VPS or dedicated server service and have the “Full Management” support option (or are a Control Panel VPS customer) please open a support ticket and we will check / patch as required.
If you are on our new Managed VPS product, we have already confirmed you are not vulnerable to this and no action is required.
-
ronsman
-
Travis Lochert