About the D4_4_sslv3_option Patch
This patch addresses the following issue:
- Vulnerability in SSLv3 - Padding Oracle On Downgraded Legacy Encryption (POODLE) - CVE-2014-3566.
- The browser page may automatically close when you attempt to add an attachment to a message.
- On some occasions, the number of secure SSL connections (stat SYSTEM.SSL)
becomes high as the system is failing to close aborted incoming SSL connections
- When this happens, SSL access to the services becomes very slow and the GUI
becomes inaccessible due to time outs, this presents to the user as a 'blank
white screen'. This patch resolves this problem.
- Can prevent security attack.
- Installing/unistalling the patch can briefly prevent users from using secure access to the services
Installing the Patch
To install this patch:
- Use a telnet client to connect to the administration command-line
interface on port 23 on your Mirapoint appliance.
- Log in as an administrator.
- Issue the following command:
If the result returned is 4.3.6,4.3.7, 4.4.1, 4.4.2 or 4.4.3, you can install this patch.
- Install the D4_4_sslv3_option patch using the following CLI command:
Update Install ftp://ftp.mirapoint.com/pub/updates/D4_4_sslv3_option
- After installing the patch, perform the following commands:
SSL NEWCERT 127.0.0.1
SSL SETVERSION "tlsv1"
Always check the system log after installing a patch regardless of whether
installation succeeds or fails.