The US Computer Emergency Readiness Team has issued an alert on SSL 3.0 Protocol Vulnerability and POODLE Attack (
https://www.us-cert.gov/ncas/alerts/TA14-290A). This alert documents a vulnerability in the SSLv3 implementation that could be used to decrypt portions of an SSLv3 communication. Please refer to the alert for additional details.
IMPACT ASSESSMENT
Progress DataDirect has reviewed our Connect ODBC & JDBC connectivity products and identified the following products impacted:
- Oracle Wire Protocol ODBC & JDBC drivers
- Oracle Client ODBC driver
- SQL Server Wire Protocol ODBC & JDBC drivers
- SQL Server Legacy ODBC driver
- DB2 ODBC & JDBC drivers
- PostgreSQL ODBC & JDBC drivers
- MySQL ODBC & JDBC drivers
- Greenplum ODBC & JDBC drivers
- Sybase ODBC & JDBC drivers
- Teradata Client ODBC driver
- OpenEdge ODBC & JDBC drivers
- Amazon Redshift ODBC & JDBC drivers
- Salesforce ODBC & JDBC drivers
We continue to assess the impact of this vulnerability to our DataDirect Cloud, OpenAccess, and SequeLink products and will provide additional impact assessment for those separately.
MITIGATION SUMMARY
Many of the impacted Connect products can be configured to avoid the use of SSLv3 and, therefore, avoid the POODLE vulnerability. This section identifies which of our Connect products can be configured in this manner.
Note that many databases can also be configured on the server to disallow SSLv3 entirely or disable the SSLv3 ciphers. Using either mitigation on the client side directly with our impacted Connect products or on the server side will successfully avoid the POODLE attack. Server side mitigation steps will vary by vendor and will be documented in each vendors documentation.
CONNECT JDBC MITIGATION
All Connect for JDBC 5.1 drivers identified above with the exception of Salesforce.com can be configured to disable SSLv3 and avoid the POODLE vulnerability by setting the connect option CryptoProtocolVersion to the comma delimited list of protocols to use. For example, CryptoProtocolVersion=TLSv1,TLSv1.1,TLSv1.2.
We are actively investigating mitigation capabilities for the Salesforce JDBC driver.
CONNECT ODBC MITIGATION
The Connect for Oracle Wire Protocol ODBC driver version 6.1 and higher can be configured to disable SSLv3 and avoid the POODLE vulnerability by setting the connect option EncryptionMethod=5.
We are actively investigating adding similar mitigation behavior to all other impacted Connect ODBC drivers.
The SQL Server Legacy ODBC driver and client-based Connect ODBC drivers (Oracle Client, Informix Client, and Teradata Client) rely on the vendor-specific client libraries for SSL. Please consult the vendor-specific client library documentation for possible mitigation steps to avoid the POODLE vulnerability.
Please contact Progress Technical Support with any additional questions regarding POODLE mitigation.
