Google announced in a blog post on Tuesday a vulnerability in the design of SSL version 3.0 (CVE-2014-3566), nicknamed POODLE. The SSLv3 protocol is used in OpenSSL and other commercial products. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker and has an overall CVSS severity rating of MEDIUM.
Ipswitch immediately assessed all of its products as soon as we became aware of the vulnerability. We've identified specific recommendations for MOVEit Managed File Transfer, WS_FTP Server and MessageWay and continue to evaluate remaining Ipswitch products, including WhatsUp Gold and IMail Server. While POODLE is not considered high risk to our customers we will provide additional guidance for those products as soon as it's available.
To protect against this attack, it is recommended that all customers disable SSLv3 for all services and clients. Please find specific instructions for the following products in this Ipswitch Knowledgebase article:
- MOVEit File Transfer (DMZ) Server and API Module
- MOVEit Central
- MOVEit Ad Hoc
- MOVEit Mobile
- MOVEit Xfer
- MOVEit Freely
- WS_FTP Server
- WS_FTP Web Transfer Module
- WS_FTP Professional
Following the instructions above may present compatibility problems for users on old platforms and browsers, where there is no support for TLS 1.0 or higher. While both Google and Mozilla have announced plans to remove support for SSLv3 from their browsers soon, it's still recommended that you test these configuration changes and carefully monitor the production system after making any changes, so that you are prepared to handle any negative impact.