This notice is for informational purposes only and is intended to provide you with the latest update from Globalscape regarding the “POODLE vulnerability” (CVE-2014-3566).
The “POODLE Vulnerability” (CVE-2014-3566) is a serious vulnerability in the popular OpenSSL cryptographic software library (through version 1.0.1i). This weakness allows stealing the information protected, under normal conditions, by the SSL encryption used to provide communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs).
The DMZ Gateway® and WAFS are not vulnerable to POODLE exploits.
Enhanced File Transfer Server (EFT)
EFT supports SSL connections for HTTPS and FTPS. For broad client support and backward compatibility, SSLv3 can be enabled on EFT. The SSLv3 protocol is vulnerable to the POODLE exploit. It is highly recommended, therefore, that you verify and modify the SSL configuration of EFT as needed to protect your information assets.
Workaround for EFTv7
Or see here in the Globalscape Knowledgebase for further information.
- Log in to the EFT administration interface, and click the Server tab.
- In the left pane, click the server (topmost) node.
- In the right pane, click the Security tab.
- Under SSL Compatibility, click Defined, and then select *only* the TLS 1.0 check box. (Clear the SSL 3.0 and SSL 2.0 check boxes, if selected.)
- Ensure that your EFT Administration channel is properly secured:
- Disallow remote connections to the server if at all possible, and simply RDP into the server computer to perform administration functions against the local system.
- If you do allow remote administration, ensure that you enable SSL and restrict IP addresses to only those computers on your network that need to connect for administration of the server. That is, on the Administration tab, change Server administrator listening IP from All Incoming to one or more specific IP addresses, as described here.
Similar to EFT, Mail Express leverages SSLv3 in its current and historical versions and therefore is vulnerable to POODLE attacks. SSLv3 can be disabled via a configuration file or by enabling FIPS compatibility mode in the administrator UI. A patched version is also available that disables SSLv3 by default for new installations. For more information please see here.
EFT and Mail Express customers who have further queries or are not currently covered by a maintenance and support agreement should get in touch here.