Regresar
-
Título
SSL3.0 Vulnerability - "POODLE" and Enterprise Single Sign-On -
Descripción
A recently discovered vulnerability in the SSL 3.0 protocol leaves it open to a "man in the middle" attack. According to Microsoft, the vulnerability is not considered high risk due to the fact that hundreds of HTTPS requests would have to be made to allow the attack to be successful.
Please see Microsoft Security Advisory 3009008 for more information.
For additional details on the vulnerability please see CVE-2014-3566 from "Common Vulnerabilities and Exposures". -
Resolución
The POODLE SSLv3 vulnerability (CVS-2014-3566) impacts the Self Service Admin Portal (SSPR) Web Server.
When the User Access the Web Server is hosted by an Apache server (default configuration), a workaround exists:
Administrators of the Web Server should replace:"SSLProtocol -all +TLSv1 +SSLv3"
With
"SSLProtocol -all +TLSv1 -SSLv3"
In %ProgramFiles%[ (x86)]\Evidian\WebSrv\Apache2[.2]\config\ssl.conf file.
This will restrict the list of supported secure authentication protocols to TLSv1.
The User Access Web Server should then be restarted to take the configuration change into account.