Novell Service Desk Announcement: CVE-2014-3566 'POODLE' weakness in the SSL protocol

SSLv3 Fallback Protection “POODLE” vulnerability (CVE-2014-3566)

Severity: Medium

Version: OpenSSL 1.0.1, 1.0.0, 0.9.8

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt cipher text using a padding oracle side-channel attack.

OpenSSL Description: "Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE."

All products using OpenSSL version 1.0.1, 1.0.0, 0.9.8 are impacted.

By default, Novell Service Desk does not have SSL enabled. However, if the cool solution was followed to enable SSL, please follow the steps below to resolve the issue.

To resolve the NSD Appliance:
Edit the file nsd-ssl-vhost.conf and include SSLProtocol all -SSLv2 -SSLv3
 

For Linux and Windows:
Edit the file server.xml and include the following shown below: