VisibleThread -
Help Center Find helpful articles on different VisibleThread Products

Follow

SSL 'POODLE' Vulnerability

"POODLE" is the code name for a security vulnerability recently discovered in the SSLv3 libaries used by some browsers to handle secure communication between the browser and web applications.

To read more about the nature of this vulnerability follow these links: 

 

https://www.us-cert.gov/ncas/alerts/TA14-290A

https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

 

All major browser vendors (Google, Firefox, Microsoft) have released updates to their browsers to remove support for SSLv3 and hence remove this vulnerability, however it also possible to update your web servers to prevent the vulnerable SSLv3 library being used should a user use an unpatched web browser.

 

How does this impact VisibleThread and Clarity Grader cloud customers

Both the VisibleThread Docs and Clarity Grader cloud servers have been patched to remove support for this vulnerable SSLv3 library. So even if you are not using a 'safe' browser (i.e. one that has been recently updated) your communication with the VisibleThread servers is not vulnerable to this flaw.

 

How does this impact VisibleThread Docs on premise customers

This vulnerability has less on an impact on our customer who are using VisibleThread docs behind their firewall, due to the closed nature of their network. Nevertheless for VisibleThread Docs customer running on Ubuntu 12.04 its possible to patch your server to remove support for the vulnerable SSL v3 library.

To do so follow these steps:

1. Log on to the VisibleThread server console and type:

mkdir /home/visiblethread/oldapacheconfig

 

2. Now backup our apache config

cp /etc/apache2/sites-enabled/000-default /home/visiblethread/oldapacheconfig

 

3. Now we want to edit our apache config file:

sudo nano /etc/apache2/sites-enabled/000-default

 

4. Once we have opened the editor we want to find the line that contains 'SSLProtocol -ALL +SSLv3 +TLSv1' and replace it with:

SSLProtocol all -SSLv2 -SSLv3

 

5. Now type 'CTRL-O' and hit return to save your changes, and 'CTRL-X' to exit.

 

6. Finally we need to restart apache to pick up the changes:

sudo service apache2 restart

 

Thats it!

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful

Get Additional Help

Visit our Helpdesk for additional help and support.