2014-10-14 Instructure Advisory IAC29735 - "POODLE" SSLv3 vulnerability - CVE-2014-3566

Document created by jordan@instructure.com on Sep 22, 2015Last modified by scottd@instructure.com on Sep 22, 2015
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2014-1-14  (Last update can be found below the document title)
  Description:A vulnerability was discovered in SSLv3 which could allow a remote attacker to force a TLS downgrade negotiation, which could result in SSLv3 with weak ciphers being used. Once downgraded, the traffic is then susceptible to a man in the middle (MITM) attack
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Allows unauthorized disclosure of information
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Google Security
  Relevant Changesets:

Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback

CVE -CVE-2014-3566 


 

Summary:

On October 14th, Google security released an advisory regarding a newly discovered SSLv3 attack. Once the Instructure InfoSec team was made aware of the advisory, it took immediate action to disable SSLv3 and its related ciphers on the Canvas platform.

 

Status:

All systems were patched as of 14:33 MT on 10/14/2014

 

 


Attachments

    Outcomes