Google researchers have announced the discovery of a vulnerability that affects implementations and use of SSLv3 as means of secure communications. This vulnerability has been named POODLE (Padding Oracle on Downgraded Legacy Encryption). The vulnerability makes it possible for an attacker to perform a man in the middle attack and intercept traffic between client and server software.
This statement relates to Simple Encryption Platform (SEP) version 5.0 and below, and applies to all components with SSLv3 implementations in use: SEP Client, Secured eUSB Client, SEP Management Console and SEP Server. The POODLE vulnerability affects all SEP components using the sep:// protocol.
The Cryptzone development team are working to provide a security patch, which will switch and enforce protocols to use TLS1.2 throughout SEP, as well as changing the default setup to prevent fallback to SSLv3. This patch will be available by the end of October at the latest.
The Cryptzone development team have provided a security patch, which switches and enforces protocols to use TLS1.2 throughout SEP, as well as changing the default setup to prevent fallback to SSLv3. This patch was made available on 31st of October 2014.
For more information on the SSL POODLE vulnerability, visit: https://www.openssl.org/~bodo/ssl-poodle.pdf