A vulnerability (CVE-2014-3566) was discovered in SSLv3 named “POODLE” by its discovers, the vulnerability allows the plaintext of secure connections to be calculated by a network attacker as a result this can lead to them being able to compromise the encryption when using the SSLv3 protocol leaving traffic susceptible to a man in the middle (MITM) attack. This is a design flaw within the SSLv3 protocol itself and is not related to KEMP’s specific implementation or any other vendor’s implementation.
KEMP recommends disabling SSLv3 and forcing the use of TLS1.x on the Virtual Service. All customers should upgrade to 7.1-20b or higher as this version provides the required functionality to mitigate “POODLE” along with a rollup of fixes for previously reported security issues.
NOTE: In order to ensure that the delivery of your application is unaffected please confirm that prior to making this change that your clients and servers are not still relying on SSLv3.
The administrative Web User Interface (WUI) and RESTful API on a LoadMaster are also accessed via SSL/TLS and as of 7.1-22b do not support SSLv3 and as a result are not vulnerable to "POODLE".
Details on how to implement our recommended configuration are available at https://support.kemptechnologies.com/hc/en-us/articles/201995869
Why are KEMP recommending this approach?
- Newer browsers will default to more secure encryption protocols (e.g. TLSv1.x) however an attacker may also be able to trigger conditions in many browsers that will force them to fall back to SSLv3, by disabling SSLv3 we are mitigating this issue.
- If you need to support SSLv3 as your clients do not support TLS 1.x then another option is to disable support for CBC-based cipher suites when using SSLv3 (in either client or server). To do this on the LoadMaster, select the RC4-SHA cipher as this is the only cipher that does not use CBC and is still supported by SSLv3 and TLSv1. Opting for this option may lead to other issues associated to the RC4 cipher.
- On versions prior to 7.0-12 the LoadMaster is hard coded to always use RC4 as long as the client supports it, resulting in CBC-based ciphers being avoided and mitigating “POODLE”.
For further information on this vulnerability please see
For additional information and alternative download versions please contact KEMP Support.
KEMP is committed to resolving security vulnerabilities carefully and quickly. If you think you have found a security flaw in a KEMP product, please send all supporting information to firstname.lastname@example.org .