News: Cleo SSL Protocol Software Not Vulnerable to POODLE Attacks

On Oct. 14, 2014, a vulnerability in version 3.0 of the SSL encryptionprotocol was publicly disclosed. This vulnerability, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption – CVE-2014-3566 and the related CVE-2014-8730 ), enables an attacker to read information encrypted with this specific version of the SSL protocol in plain text using a man-in-the-middle attack.

Although SSLv3 is an older and obsolete version of the protocol, many software packages enable fallback to SSLv3 if better encryption options are not available. More importantly, it is possible for an attacker to force SSLv3 connections if it is an available option for both participants attempting a connection. The POODLE vulnerability can potentially affect just about any service or client software that makes it possible to communicate using SSLv3.

Cleo’s implementation of the SSLv3 protocol, however, was designed such that it is not subject to the POODLE vulnerability. This statement applies to Cleo Harmony, Cleo VLTrader, and Cleo LexiCom.

Nonetheless, IT security vulnerability scans can flag any available instance of SSLv3 in use. Additionally, in most cases, you are unable to ensure that your trading partners’ SSL protocol software (which may not be a Cleo solution) is not otherwise subject to this vulnerability.

Therefore, Cleo recommends that you disable use of SSLv3. Using version 4.4 (or later) of Cleo Harmony, Cleo VLTrader, and Cleo LexiCom, you should completely disable SSLv3 from use in both client-side and server-side data exchange using the administrative configuration user interface.

Contact Cleo support if you require assistance in setting up this configuration.

Post Published Date