The POODLE SSLv3 vulnerability and its impact on SSPR

  • 7015821
  • 22-Oct-2014
  • 23-Oct-2014


Self Service Password Reset
SSPR 3.x


Is SSPR exposed to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack?
How is SSPR affected by POODLE?


SSPR is not directly affected by POODLE. SSPR itself does not do http or https. 
However, the Tomcat web server that SSPR runs on (or the web server in front of Tomcat depending on your configuration) could very well be affected by POODLE.
Look for Tomcat and/or web server docs/guides on how to configure https to avoid using SSL3.0.
For example, here is a third party article on disabling SSL3.0 on Tomcat:

The following page has lots of good information about POODLE: