Short after the Bash bug or Shellshock, which ISL Online was NOT affected by, another security vulnerability has been revealed. This time, a 15-years old flaw in SSL 3.0 or the so-called POODLE attack is a problem in the CBC encryption scheme as implemented in the SSL 3 protocol. SSL stands for “Secure Sockets Layer,” which encrypts data between a client and a server and secures most of the data sent over the Internet. As a quick response to the SSL 3.0 vulnerability, ISL Online deployed an automatic security update for all SaaS users, an update available for Server License users, and disabled SSLv3 on all web servers. If you have already switched to the latest update, you can feel safe from the POODLE attack.
SaaS users don’t need to update
Just days after POODLE revealed, a new version of ISL Conference Proxy 4.0.3 with OpenSSL 1.0.1j and added support for TLS_FALLBACK_SCSV was immediately deployed to the ISL Cloud Network of servers where all SaaS sessions are hosted. ISL Online SaaS (Hosted Service) users were automatically shifted to use the safe fixed version. Hosted Service users thus don’t need to do anything as they are already using the new software with the SSL 3.0 vulnerability fixed.
SSLv3 disabled on http://www.islonline.com
SSLv3 was immediately disabled on all web servers due to the Poodle vulnerability.
Server License users need to update (IMPORTANT)
An update, which eliminates SSLv3 POODLE vulnerability, has been issued for ISL Online Server License, too. In this update, an Internal OpenSSL library, used for the SSL encryption, has been updated to the version 1.0.1j along with an additional TLS_FALLBACK_SCSV flag for SSL connections.
It’s important that all Server License users update the server application ISL Conference Proxy to the latest version 4.0.3. Here are instructions on how to upgrade the ISL Conference Proxy:
• Go to the server running ISL Conference Proxy.
• Open the web administration page: http://localhost:7615/conf.
• Login as user admin.
• Select Online Update and apply all available updates.
Although updating your ISL Conference Proxy to the version 4.0.3 will keep you safe from POODLE attackers, we also recommend you to enable SSL for ISL Conference Proxy related web pages (if you have not done that already) and completely disable SSLv2 and SSLv3 on your ISL Conference Proxy. Again, both recommendations are optional.
Enable SSL on ISL Conference Proxy (OPTIONAL)
For greater security, it is recommended that Server Licence users enable SSL for all web pages related to ISL Conference Proxy (isl.mycompany.com such as product login) by using a purchased or a self-signed certificate. This will give you full control over the SSL protocol and cipher suite settings enabling you to set them according to your own security policy and backward compatibility requirements.
To enable SSL for web pages served by ISL Conference Proxy, please read this manual.
Completely disable SSLv2 and SSLv3 on ISL Conference Proxy (OPTIONAL)
Follow these steps in order to completely disable SSLv2 and SSLv3 on your ISL Conference Proxy:
1. Open ICP administration (http://localhost:7615/conf).
2. Go to “Configuration” -> “General”.
3. Uncheck the checkbox in front of the setting “HTTPT SSL protocol” and modify the value so that it includes the following: all -SSLv2 -SSLv3.
4. Click “Save” at the bottom to apply the changes.
5. Perform tests (with one of the online SSL security scanners or with other tools such as sslscan) and make sure everything is ok.
Important: Disabling SSLv3 means that IE6 users with default settings will not be able to open secure ISL Conference Proxy webpages.
As it usually applies to all big changes, make sure they don’t break compatibility where not acceptable (yet), that’s why you should perform tests on all main use cases before making any permanent modifications.
If you experience difficulties with the upgrade, please contact us for support.