Syncplicity Support

Follow

EMC Syncplicity Frequently Asked Questions and Responses related to SSL 3.0 Fallback aka POODLE October 15, 2014

What is the issue?
This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. In the web setting, this SSL 3.0 weakness can be exploited by a man­in­the-middle attacker to decrypt “secure” HTTP cookies, using techniques from the BEAST attack.

For more details refer to:
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566


What components of Syncplicity are affected?

The issue impacts the Syncplicity web site (www.syncplicity.com), Syncplicity cloud storage, and Syncplicity On-Premise Storage Connector.


What steps were taken to remediate the vulnerability?
Support for SSL 3.0 has been removed from the Syncplicity web site (www.syncplicty.com) and Syncplicity cloud storage.


What steps do customers need to take to address the vulnerability? 
There is no action needed by EMC Syncplicity Personal Edition, Business Edition, and Enterprise Edition cloud storage customers to address this vulnerability.

EMC Syncplicity Enterprise Edition on-premise administrators are advised as follows:

If the Storage Connector Compute Node is configured with SSL using stunnel, administrators should check the configuration and remove SSL 3.0 protocol option if it is presently specified. Perform the following steps to update the stunnel config.

  1. Edit etc/stunnel/stunnel.conf.
  2. Update the following line. Possible values are (all, SSLv2, SSLv3, TLSv1)

    sslVersion = SSLv3

The suggested value is TLSv1:

  sslVersion = TLSv1

  1. Restart stunnel service by executing command –

    sudo service stunnel restart

If your Storage Connector is situated behind an SSL load-balancer we recommend you disable support for SSL 3.0 per the steps recommended by your load-balancer vendor.


EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Powered by Zendesk