Return
-
Title
SSL3.0 Vulnerability - "POODLE" and TPAM (CVE-2014-3566) -
Description
A discovered vulnerability in the SSL 3.0 protocol leaves it open to a "man in the middle" attack. According to Microsoft, the vulnerability is not considered high risk due to the fact that hundreds of HTTPS requests would have to be made to allow the attack to be successful.
Please see Microsoft Security Advisory 3009008 for more information.
For additional details on the vulnerability please see CVE-2014-3566 from "Common Vulnerabilities and Exposures". -
Resolution
We suggest disabling SSL 3.0 within client browsers via Group Policy, etc. This is considered best practice in order to protect all systems, and is recommended by Microsoft, as per the article provided above.
Versions of TPAM 2.5.913 and above disable SSL3 by default. In previous versions you can and apply Hotfix_6815 to disable SSL 3.0 in TPAM.STATUS
Version 2.5.913+
SSL 3.0 is disabled.
Version 2.5.904 - 2.5.912Hotfix_6815
This hotfix removes SSL 3.0 as a valid protocol in TPAM web service. Additionally, TLSv1.1 & TLSv1.2 have been enabled.
Key:P6wCsqmsc5
Option:/genkey
Please note that a restart of the appliance is required following the application of the hotfix.Version 2.3.x and 2.4.x
Hotfix_6820Disable SSLv3 protocol on the TPAM Appliance.Please note that a restart of the appliance is required following the application of the hotfix.Key:uCDMUi7cgKUOption:/genkey