TLS 1.x Padding Vulnerability (TLS 'POODLE') and Attachmate Products

  • 7021976
  • 10-Dec-2014
  • 02-Mar-2018

Environment

All Attachmate products

Situation

Almost all Attachmate products are not subject to this vulnerability. This technical note provides details and references concerning the TLS 1.x padding vulnerability (TLS "POODLE").

Note: The original SSL 3.0 "POODLE" vulnerability is a separate issue. For information about the original vulnerability and affected Attachmate products, see KB 7021975.

Resolution

Vulnerability Overview

The TLS 1.x padding vulnerability (TLS "POODLE”) affects some TLS connections using ciphersuites with any block cipher encryption algorithm in CBC (Cipher Block Chaining) mode, where the CBC implementation does not adhere to the TLS 1.0 specification. This allows a man-in-the-middle attacker to capture and modify encrypted data by exploiting the same padding weakness present in the SSL 3.0 protocol to decrypt data without the private key. It is an implementation flaw in some TLS libraries, though Attachmate products do not use TLS libraries affected by this vulnerability.

Although the attack is primarily directed at browsers and web servers, it may apply to other applications, such as VPNs, FTPS file transfer, etc., where either the client or server are using libraries with the flawed implementation.

Product Vulnerability Status

The following chart includes information on the TLS 1.x padding vulnerability (CVE-2014-8730). Additional information will be provided soon.

Product
Status
Reflection 2014, 2011 products
Not vulnerable
Reflection 14.1 products
Not vulnerable
Reflection X Advantage 5.0
Not vulnerable
Reflection for the Web products
Not vulnerable
Reflection Security Gateway products
Not vulnerable
Reflection for Secure IT Client for Windows
Not vulnerable
Reflection for Secure IT Server for Windows
Not vulnerable; does not support TLS/SSL; uses SSH protocol
Reflection for Secure IT Server for UNIX
Not vulnerable; does not support TLS/SSL; uses SSH protocol
Reflection for Secure IT Web Edition
Not vulnerable
PKI Services Manager
Not vulnerable; does not support TLS/SSL
FileXpress Gateway
Not vulnerable
Verastream Host Integrator
Not vulnerable
Verastream Process Designer
Not vulnerable
Verastream Terminal Client
Not vulnerable
Verastream Bridge Integrator
Not vulnerable
INFOConnect products
Not vulnerable
EXTRA!
Not vulnerable

Vulnerability Addressed on Attachmate Website

Effective 10-Dec-2014, the TLS 1.x padding vulnerability has been addressed in HTTPS connections to the Attachmate website, https://www.attachmate.com.

References

For more information, please refer to the sources listed below:

Attachmate Security Updates are available at http://support.microfocus.com/security.


Status

Security Alert

Additional Information

Legacy KB ID

This article was originally published as Attachmate technical note 2767.