Padding Oracle On Downgraded Legacy Encryption (POODLE) is a vulnerability that was identified in late 2014 and can affect secure communications making use of the Secure Socket Layer (SSL) 3.0 or earlier protocol.
POODLE allows an attacker to decrypt cipher text using a padding oracle side-channel attack. Applications that use cipher-block chaining with the SSL 3.0 communication protocol are vulnerable to POODLE attacks. The SSL 3.0 protocol does not adequately check the padding bytes that are sent with encrypted messages. These padding bytes can be replaced by the attacker. An attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction. Newer releases of secure communication protocols, including Transport Layer Security (TLS) 1.0, TLS 1.1 and TLS 1.2, are increasingly less susceptible.
In a default configuration, OpenEdge applications are vulnerable to POODLE attacks because they establish secure communications over SSL 3.0 by default.
In the OpenEdge versions listed below, each component can be manually configured to communicate over TLS 1.0 rather than the default SSL 3.0 protocol. Note that for some versions, a service pack and/or hot fix must be applied to enable this fuctionality.
To make OpenEdge client and server components POODLE SSL 3.0 safe,
upgrade the OpenEdge installation to one of the versions listed below. Then configure the components to create secure connections using TLS 1.0 (or higher in a version where 1.1 or 1.2 is provided), using any cipher that is compatible with that TLS version.
Upgrade to OpenEdge 10.2B0848.For further details, please reference the whitepaper "
Addressing POODLE vulnerability and SHA2 support in Progress OpenEdge 10.2B08".
Upgrade to OpenEdge 11.3.3.026.For further details, please reference the whitepaper "
Addressing POODLE vulnerability and SHA2 support in Progress OpenEdge 11.3.3".
Upgrade to OpenEdge 11.4.0.028.For further details, please reference the whitepaper "
Addressing the POODLE Vulnerability in Progress OpenEdge in 11.4.0.028HF".
Upgrade to OpenEdge 11.5.1 or later.For further details, please reference the document "OpenEdge Service Pack: New Information" which is available on the Service Pack download page or the whitepaper "
Addressing the POODLE Vulnerability in Progress OpenEdge 11.5.1".
Upgrade to OpenEdge 11.6.For further details, please reference "OpenEdge Getting Started: Core Business Services - Security and Auditing, Chapter 2, Security in OpenEdge > SSL Security" in the OpenEdge 11.6 documentation set.
