REN-ISAC ALERT: Muzzling POODLE (While Cleaning Up Other Related Vulnerabilities, Too)

[Doug Pearson <dodpears () REN-ISAC NET>]

REN-ISAC SECURITY ALERT
Muzzling POODLE (While Cleaning Up Other Related Vulnerabilities, Too)
October 22, 2014

To: IT Executives and Security Staff

The full Alert is attached, and located at:
> http://www.ren-isac.net/alerts/REN-ISAC_Alert_POODLE_and_Crypto_20141022.pdf

EXECUTIVE SUMMARY of the Alert:

There have been many recent security advisories involving SSL/TLS
encryption-related vulnerabilities, including most notably BEAST, the
highly publicized Heartbleed bug, the BERserk vulnerability, and most
recently, POODLE. Many sites have taken specific actions to address one
or more of these high profile vulnerabilities, and we commend you for
doing so -- your efforts help to protect your systems, the information
they store and process, and your users.

However, if you only take steps to address those particular high profile
issues, your systems that rely on SSL/TLS are likely still insecure due
to other equally serious (but less well-publicized) SSL/TLS-related
issues. This alert will help you to assess the status of your servers
and to understand the steps you should be undertaking to fix the POODLE
vulnerability in particular. Also, it will suggest what you should be
doing in general to improve the quality of the SSL/TLS cryptography
you're depending on.

Specifically we recommend that all sites should (1) identify their
servers that use SSL/TLS, (2) assess the status of each of those
servers, (3) update server cryptographic libraries, and (4) harden
server crypto configurations.

Technical recommendations concerning those steps are provided in the
full Alert.


Sincerely,

Your REN-ISAC Team
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630

Attachment: REN-ISAC_Alert_POODLE_and_Crypto_20141022.pdf
Description: