KbA0024: Kaizen and CopperCube SSL3 / Poodle Vulnerability

Description

The purpose of the KbA is to answer:

  1. Is the CopperCube vulnerable to the SSL3.0 environment bug (a.k.a. Poodle)?
  2. Is Kaizen vulnerable to the 1SSL3.0 environment bug (a.k.a. Poodle)?

What is Poodle?

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses non-deterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding oracle attack, aka the “POODLE” issue.

A number of vulnerability advisories have been assigned by NIST relating to this issue. See: CVE-2014-3566

Official Description of CVE-2014-3566

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Is the CopperCube affected?

Yes. The CopperCube uses a version of SSL that is affected. Version 1.6 can be patched. Version 1.11 is immune to this issue.

What can be done about it?

The problem can be corrected by updating the CopperCube to use a fixed SSL negotiation and not falling back to v3.0 This requires the assistance of CopperTree Customer Solutions, and remote access to the CopperCube. The next release of the CopperCube (1.11) will include this fixed version.

What if I choose not to update?

If your CopperCube is not accessible from the Internet, then you have little to worry about.

If your CopperCube is exposed to the Internet then it is possible (however unlikely) that it could be compromised, and so we recommend having it updated.

Is Kaizen affected?

No, Version 1.6.2 released on 2014 Oct 21 does not use SSL3.0. It uses TLSv1 TLSv1.1 TLSv1.2 to connect.