What is POODLE and SSLv3 Design Vulnerability?
On October 15, 2014, researchers from Google released a paper discussing a serious bug in SSL version 3.0 (SSLv3) that potentially could allow attackers to conduct man-in-the-middle attacks and decrypt traffic between web servers and end users. This vulnerability is more popularly referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption) and has been assigned the following CVE ID: CVE-2014-3566.
Who is impacted by POODLE?
SSL 3.0 is an older encryption protocol that has been around for 15 years. It has been succeeded by TLS (which is now at version 1.2). However, many TLS clients and servers will downgrade to earlier versions of the protocol if one side of the transaction does not support the latest version.
Because several Trend Micro’s products utilize encryption technology, some of these products may be affected by this vulnerability if the original standard is adhered to and the fallback mechanisms are in place. This article will contain the list of products that are affected and the recommended action to take to eliminate the risks as they are identified and corrected.
The most recommended solution at this time is to disable the SSLv3 protocol on clients and servers. The TrendLabs Security Intelligence Blog on POODLEhighlights some methods to do this under the Countermeasures section of the article. However, disabling SSLv3 is not practical for many users and organizations, as many legacy and other products, including some Trend Micro ones may require it or produce unintended results if SSLv3 is disabled without additional steps.
Important: Trend Micro is currently investigating all the products known to use SSLv3 and will periodically update the list below as affected versions are identified and critical patches, fixes, or workarounds are made publicly available.
What Trend Micro products are affected?
What if my product is not listed?
If the product has not reached End-of-Support, it is most likely that Trend Micro is still analyzing the vulnerability and its impact on your product. As soon as the analysis is completed, the product will be added in the list.
What if I have additional questions?
For additional inquiries, contact Technical Support.
