XOS 16.1.3.6 patch 1.8 - Vulnerability SSL Server Has SSLv3 Enabl

Arkadiusz_Dembi — Thu, 06 Apr 2017 15:21:00 GMT

HI, Our customer uses XOS 16.1.3.6 patch 1.8 and during the test he found out that SSL 3.0 is an obsolete and insecure protocol. Encryption in SSL 3.0 uses either the RC4 stream cipher, or a block cipher in CBC mode. RC4 is known to have biases, and the block cipher in CBC mode is vulnerable to the POODLE attack.

The SSLv3 protocol is insecure due to the POODLE attack and the weakness of RC4 cipher.

. Extreme page says about poodle that XOS version higher than 15.3 is patched , however SSL v3 is stil availble there , am i right ? How to deactiavte SSLv3 on this version and use TLS 1.1 or higher ?

Can you elabore more on SSLv3 ?

A. Dembiczak

RE: XOS 16.1.3.6 patch 1.8 - Vulnerability SSL Server Has SSLv3 Enabl

Drew_C — Thu, 06 Apr 2017 18:30:00 GMT

It sounds like you may have already seen our Vulnerability Notice on POODLE.
https://extremeportal.force.com/ExtrArticleDetail?n=000008192

However, it states "Fix Release(s): 15.6.2 and 15.7.1 and later releases"

topic RE: XOS 16.1.3.6 patch 1.8 - Vulnerability SSL Server Has SSLv3 Enabl in ExtremeSwitching (EXOS/Switch Engine)

XOS 16.1.3.6 patch 1.8 - Vulnerability SSL Server Has SSLv3 Enabl

RE: XOS 16.1.3.6 patch 1.8 - Vulnerability SSL Server Has SSLv3 Enabl