CVE ID
CVE-2014-3566
DESCRIPTION
The Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability allows a man-in-the-middle attacker to decrypt ciphertext with SSL 3.0 CBC mode padding bytes.
Exploiting this vulnerability is not easily accomplished. Man-in-the-middle attacks require large amounts of time and resources. While likelihood is low, Red Hat recommends implementing only TLS to avoid flaws in SSL. Disabling SSLv3 in favor of at least a TLS connection is recommended.
Red Hat statement
All implementations of SSLv3 are affected. Red Hat Enterprise Linux and other Red Hat products include libraries which enable the use of SSLv3. This vulnerability does not affect the newer encryption mechansim known as Transport Socket Layer (TLS).
To mitigate this vulnerability, you should disable SSLv3 in all affected packages.
Unitrends statement
Risk to Unitrends systems: Low
The attacker has to interject himself as a man-in-the-middle which is difficult and time consuming. He would also need to understand the protocols we use to backup or replicate to intercept any critical data. OpenVPN 2.x also does not support SSLv3.
RESOLUTION
Unitrends disables SSLv3 for web access in /etc/httpd/conf.d/ssl.conf with release 8.0.0-2 and later.