Critical Linux Vulnerability Alert: Poodle

A new critical exploit has been announced in the form of a vulnerability of a legacy encyption implementation, SSLv3.  The POODLE bug exploits an older encryption protocol and may allow a hacker to gain access to a secure session between a client and server utilizing SSLv3.  More info on Poodle can be found here:

https://www.us-cert.gov/ncas/alerts/TA14-290A

This flaw in SSLv3 may allow hackers to gain access to encrypted information such as HTTP cookies used in the session via a man-in-the-middle attack.

This vulnerability is not as critical as Shellshock or Heartbleed as attackers cannot exploit this flaw remotely. However, it is important to fix this issue as it could put sensitive data at risk of being exposed. Resolving this issue is also required for PCI compliance.

This attack requires both the client and the server to be using SSLv3 in order to be exploited.  The easiest way to protect yourself is to upgrade one or both ends of the connection.  On the client side, the only browser that still does not support TLS is Internet Explorer 6.  Fixing this bug will effectively leave IE6 users out in the cold, security-wise.  Modern browsers have the capability to turn off SSLv3 connections.  See: http://www.tomsguide.com/us/poodle-fix-how-to,news-19775.html

You can test your site to see if it is vulnerable to the POODLE bug at: https://www.poodlescan.com/

All Pantek Support Engineers have been advised of this issue, and trained in the appropriate response procedure. If you would like our assistance in determining if your server has been affected, or to fix the vulnerability, please open a Support Ticket via the Pantek Portal: https://portal.pantek.com/clientarea.php

Pantek Clients who have purchased a Managed Service Plan will receive a separate notification, as management of these third-party security issues is included without incurring extra charges.

You can find more details on our Managed Service Plans here:  http://www.pantek.com/managed

Latest posts by Charles Hawley (see all)