TLS 1.x Padding Vulnerability (TLS 'POODLE') and Attachmate Products

Document ID:7021976
Creation Date:10-Dec-2014
Modified Date:02-Mar-2018
- Micro Focus Products:
  Databridge
  Extra!
  Host Access Management and Security Server (MSS)
  InfoConnect Airlines Gateway
  InfoConnect Enterprise Edition
  InfoConnect Print and Transaction Router (PTR)
  Reflection (legacy 14.1)
  Reflection Desktop
  Reflection for Secure IT Client and Server for UNIX
  Reflection for Secure IT Client for Windows
  Reflection for Secure IT Gateway
  Reflection for Secure IT Server for Windows
  Reflection for the Web
  Reflection PKI Services Manager
  Reflection X (legacy 14.1)
  Reflection X Advantage
  Verastream Bridge Integrator (VBI)
  Verastream Host Integrator (VHI)
  Verastream Process Designer (VPD)
  Verastream SDK for Unisys and Airlines

Environment

All Attachmate products

Situation

Almost all Attachmate products are not subject to this vulnerability. This technical note provides details and references concerning the TLS 1.x padding vulnerability (TLS "POODLE").

Note: The original SSL 3.0 "POODLE" vulnerability is a separate issue. For information about the original vulnerability and affected Attachmate products, see KB 7021975.

Resolution

Vulnerability Overview

The TLS 1.x padding vulnerability (TLS "POODLE”) affects some TLS connections using ciphersuites with any block cipher encryption algorithm in CBC (Cipher Block Chaining) mode, where the CBC implementation does not adhere to the TLS 1.0 specification. This allows a man-in-the-middle attacker to capture and modify encrypted data by exploiting the same padding weakness present in the SSL 3.0 protocol to decrypt data without the private key. It is an implementation flaw in some TLS libraries, though Attachmate products do not use TLS libraries affected by this vulnerability.

Although the attack is primarily directed at browsers and web servers, it may apply to other applications, such as VPNs, FTPS file transfer, etc., where either the client or server are using libraries with the flawed implementation.

Product Vulnerability Status

The following chart includes information on the TLS 1.x padding vulnerability (CVE-2014-8730). Additional information will be provided soon.

Product	Status
Reflection 2014, 2011 products	Not vulnerable
Reflection 14.1 products	Not vulnerable
Reflection X Advantage 5.0	Not vulnerable
Reflection for the Web products	Not vulnerable
Reflection Security Gateway products	Not vulnerable
Reflection for Secure IT Client for Windows	Not vulnerable
Reflection for Secure IT Server for Windows	Not vulnerable; does not support TLS/SSL; uses SSH protocol
Reflection for Secure IT Server for UNIX	Not vulnerable; does not support TLS/SSL; uses SSH protocol
Reflection for Secure IT Web Edition	Not vulnerable
PKI Services Manager	Not vulnerable; does not support TLS/SSL
FileXpress Gateway	Not vulnerable
Verastream Host Integrator	Not vulnerable
Verastream Process Designer	Not vulnerable
Verastream Terminal Client	Not vulnerable
Verastream Bridge Integrator	Not vulnerable
INFOConnect products	Not vulnerable
EXTRA!	Not vulnerable

Vulnerability Addressed on Attachmate Website

Effective 10-Dec-2014, the TLS 1.x padding vulnerability has been addressed in HTTPS connections to the Attachmate website, https://www.attachmate.com.

References

For more information, please refer to the sources listed below:

Attachmate Security Updates are available at https://support.microfocus.com/security.