POODLE SSLv3 Security Alert October 2014

Summary

Epicor has been keeping apprised of a vulnerability in the SSL 3.0 protocol, which has been assigned CVE-2014-3566. All implementations of SSL 3.0 are affected.

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.0. It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).

Because it’s a vulnerability in the protocol, not a bug in the implementation, there is no “patch,” so SSLv3 should be disabled in all client and server software.

Epicor’s Response

There are functions of the Eclipse server software that initiate HTTPS connections to external servers (e.g. for credit card processing). Those connections previously allowed SSLv3, so we have updated the code to explicitly require TLS connections. The patch (DNV616) can be applied manually, or it will be included by default in the customer’s next point upgrade.

We have also reviewed the Eclipse application server and confirmed that SSLv3 is already disabled in the release, which uses TLS by default.

Recommended Customer Actions

We recommend that customers request the patch or a point upgrade to a release of Eclipse with SSLv3 client functionality disabled.

We also recommend that any customers running external web servers (e.g. web commerce, mobile) disable SSLv3 on IIS using Microsoft’s “fix it” tool.

FAQ

Q. How can I verify that my Solar application server (or any other secure web service) is not vulnerable?
A. Run the command below:

openssl s_client -connect HOSTNAMEORIPADDRESS:PORT -ssl3

For example, the following output, run against a the Solar application server running on the local server, shows that the service is not vulnerable:

[root@rs6k ~]# openssl s_client -connect localhost:2443 -ssl3
CONNECTED(00000003)
25211:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284: