The POODLE SSLv3 vulnerability and its impact on SSPR

  • 7015821
  • 22-Oct-2014
  • 23-Oct-2014

Environment

Self Service Password Reset
SSPR 3.x


Situation

Is SSPR exposed to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack?
How is SSPR affected by POODLE?

Resolution

SSPR is not directly affected by POODLE. SSPR itself does not do http or https. 
However, the Tomcat web server that SSPR runs on (or the web server in front of Tomcat depending on your configuration) could very well be affected by POODLE.
 
Look for Tomcat and/or web server docs/guides on how to configure https to avoid using SSL3.0.
For example, here is a third party article on disabling SSL3.0 on Tomcat:
 http://blog.facilelogin.com/2014/10/poodle-attack-and-disabling-ssl-v3-in.html

The following page has lots of good information about POODLE:
http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability