NAVEX Global Security has been made aware of a vulnerability in the SSLv3 protocol. We would like to share the measures we have taken to protect our clients and partners from this risk.
Background
Known formally as CVE-2014-3566, the SSL 3.0 or “POODLE” vulnerability potentially allows an attacker to gain access to data passed within an encrypted web session (such as a password), which can then be used to impersonate a user and gain more complete access.
Impact
This vulnerability is classified as medium. The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers if all three conditions are met.
Review & Mitigation
Upon learning about the vulnerability, we immediately worked to determine the potential impact. Gateway, EthicsPoint Case Management, Third Party Risk Management, PolicyTech Policy Management, NAVEX Global Learning Management System (LMS), IntegriLink Classic, and IntegriLink Portal Case Management servers have SSL 3.0 enabled, although not all are using CBC ciphers.
In response to this risk, on October 24, 2014, the IT Hosting Team will be disabling SSL 3.0. Customers should experience limited impact due to the disabling of SSL 3.0 access. Customers simply need to ensure they are accessing the portal using a Browser or Client that support TLS 1.0 or greater.
Typical browsers that already support this include:
- Internet Explorer version 7 and later
- Firefox version 1.0 and later
- Chrome version 1.0 and later
- Safari version 1.0 and later
Questions?
Please feel free to reach out to Client Support or to your NAVEX Global sales representative with any additional questions or concerns.