Environment
Self Service Password Reset
SSPR 3.x
SSPR 3.x
Situation
Is SSPR exposed to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack?
How is SSPR affected by POODLE?
How is SSPR affected by POODLE?
Resolution
SSPR is not directly affected by POODLE. SSPR itself does not do http or https.
However, the Tomcat web server that SSPR runs on (or the web server in front of Tomcat depending on your configuration) could very well be affected by POODLE.
Look for Tomcat and/or web server docs/guides on how to configure https to avoid using SSL3.0.
For example, here is a third party article on disabling SSL3.0 on Tomcat:
http://blog.facilelogin.com/2014/10/poodle-attack-and-disabling-ssl-v3-in.html
The following page has lots of good information about POODLE:
http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability
However, the Tomcat web server that SSPR runs on (or the web server in front of Tomcat depending on your configuration) could very well be affected by POODLE.
Look for Tomcat and/or web server docs/guides on how to configure https to avoid using SSL3.0.
For example, here is a third party article on disabling SSL3.0 on Tomcat:
http://blog.facilelogin.com/2014/10/poodle-attack-and-disabling-ssl-v3-in.html
The following page has lots of good information about POODLE:
http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability