OpenText response to POODLE vulnerability (CVE-2014-3566)

At OpenText, the security and privacy of our customers’ information is our top priority.

OpenText is aware of and has been carefully monitoring the recent news surrounding the POODLE vulnerability. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability affects older standards of encryption, specifically Secure Sockets Layer (SSL) version 3. It does not affect the newer encryption mechanism known as Transport Socket Layer (TLS). In an effort to help reduce the risk to our customers, OpenText has proactively reviewed all GXS communication gateways to assess the potential impact of the issue described in CVE-2014-3566.

At OpenText, we are committed to upholding our obligations regarding the security and privacy of our customers’ information. As such, we will continue to evaluate our software products and take necessary action to reduce any potential risks associated with the POODLE vulnerability.

Read OpenText’s response to the POODLE vulnerability

Download Response:

Frequently Asked Questions

Download FAQ:

What is POODLE?

POODLE is an acronym for Padding Oracle On Downgraded Legacy Encryption. The security issue is exactly what the name suggests, a protocol downgrade that allows exploits on an outdated form of encryption. The issue came to the world’s attention when Google released a paper called This POODLE Bites: Exploiting The SSL 3.0 Fallback.


How does POODLE work?

POODLE allows an attacker to perform a man-in-the-middle attack which may force a connection to “fallback” to Secure Sockets Layer (SSL) version 3.0, making it possible for an attacker to obtain sensitive user data. The data at risk of being exposed can vary based on the type of SSL connectivity enabled.

This vulnerability is rated as Medium. This means that the issue provides an opportunity for an attacker to compromise the confidentiality, integrity, and/or availability of data elements, but requires one or more pre-conditions to exist. A POODLE attack is extremely difficult to execute and requires over 250 transaction attempts to reveal a single byte of data.


What is OpenText doing to protect customers?

OpenText security experts are currently analyzing the risks associated with POODLE. Where necessary, OpenText will disable SSL to prevent it from being used to access GXS communication gateways. Instead, OpenText will use Transport Layer Security (TLS) 1.0, which is a more recent protocol that is not affected by the POODLE bug.


How does this affect me?

Any service that supports Secure Sockets Layer (SSL) version 3 (SSLv3) may be exploited so that an attacker can decrypt secure sessions, potentially revealing user data.

A connection is only susceptible to a POODLE attack if both the sender and receiver support SSLv3. If you have already disabled SSLv3, you are not affected by the issue documented above. OpenText recommends that you contact your internal application administrator or software provider to ensure you are using TLS 1.0 or later (with SSLv3 disabled) to connect to our services.


What do I need to do?

OpenText will update the protocol on affected communication gateways in phases. Remediation plans are still being finalized and details on roll-over dates will be communicated shortly. Customers will be given reasonable notification of changes before the planned roll-over dates (normally 60 days).

In the meantime, customers should proactively ensure that their communication software supports TLS in fallback mode (TLS 1.2, 1.1, and 1.0). If your use case allows, OpenText recommends that you disable SSL immediately. Please contact your software provider if you have any questions on how to disable SSL.


What browsers are affected by POODLE?

For browser based applications, any web browser that makes use of SSLv3 is at risk. Although the majority of modern web browsers (Chrome, Firefox, Safari, and Internet Explorer 9+) use TLS 1.0 or later, legacy browsers such as Internet Explorer 6 only support SSLv3. This means that users who are utilizing older PCs and browser versions may be impacted by the POODLE vulnerability.


What happens to my account if I try to access OpenText services without updating my browser?

Although your account will not be shut down, the connection will be refused and you will be unable to access OpenText services.


What connection methods could be susceptible to POODLE?

OpenText Information Security is conducting an analysis to determine the risk that POODLE represents to the various communications protocols used to connect to OpenText services. The list of communications protocols that make use of the security capabilities of SSL include:

  • HTTPs
  • FTPs
  • AS2
  • RosettaNet
  • OFTP
  • MQ
  • AS3

If you or your trading partner(s) use any of the communications protocols listed above, there is no immediate need for concern. OpenText is conducting a risk analysis on each protocol to determine which protocols require SSL to be disabled. Affected customers will be given reasonable notification of changes before the planned roll-over dates (normally 60 days).


How do I disable SSLv3?

Browsers
There are many resources available on the internet that provide instructions on how to disable SSLv3 support in browsers. An example would be https://zmap.io/sslv3/browsers.html.

Connection Software
If you use a third-party software package to connect to our services, OpenText recommends that you contact your software provider as soon as possible to ensure TLS is supported and you can safely disable SSL.


Who should I contact for further information?

If you have any questions or need additional assistance, you may contact your support organization using the contact information provided to you or you may visit the OpenText website for worldwide contact information.

Report a security vulnerability

If you discover a security vulnerability that could potentially affect an OpenText product or service please let us know.

Report Now

Podcasts & Videos

Information Security in the Digital Age

Read Now

Tech Talk Episode 2: Protecting your Information with Greg Murray

Watch Now