[Security] [HUB] POODLE attack exploiting SSL 3.0 fallback
Information
A CVE-2014-3566 vulnerability in SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.
You can check if your website is vulnerable with curl:
{!{code}!}czo0MTpcImN1cmwgLXYzIC1YIEhFQUQgaHR0cHM6Ly93d3cuZXhhbXBsZS5jb20KXCI7e1smKiZdfQ=={!{/code}!}
If you are NOT vulnerable, your output should look something like this:
{!{code}!}czoyOTpcImN1cmw6ICgzNSkgU1NMIGNvbm5lY3QgZXJyb3IKXCI7e1smKiZdfQ=={!{/code}!}
If you ARE vulnerable, you will see normal connection outputs, potentially including the line:
{!{code}!}czoyOTpcIlNTTCAzLjAgY29ubmVjdGlvbiB1c2luZyAuLi4KXCI7e1smKiZdfQ=={!{/code}!}
Resolution
Although the possibility to exploit this vulnerability is quite low, the simplest way is to disable SSL 3.0 – this obsoleted protocol version is being used for compatibility needs and is not required for Parallels products.
For specific Parallels products, here is the list of articles which you may refer to: