bshopp I have now seen the official Solarwinds recommendations for this. Please see my comments in bold, please let us know your responses. thanks.
| • | Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate the issue. Currently no option to disabled 3.0. Please can you explain exactly what cypher tick boxes need unticking, I see a LOT of ones containing 'CBC'. Should we also disable v2 using the tickbox too? |
| • | Enable FIPS for SolarWinds product using FIPS manager (please note your environment must be FIPS compliant – e.g. MD5 and DES encryption in SNMP v3 is not supported by FIPS) Not really feasible considering these limitations: FIPS 140-2 Support |
| • | Disable SSL in your browser settings – POODLE Attack required man in the middle. Disabling SSL in your browser prevents attacker to force browser to fall back to SSL and exploit the vulnerability This is a good point for admins but you cant control what users do. |
| • | Apply upcoming OpenSSL hotfixes Hotfixes that Solarwinds are releasing? |
Please note that TLS 1.0 has similar padding-related vulnerabilities (CVE-2011-3389) and we recommend to use TLS 1.1 and newer instead.
How do we also mitigate this in Serv-U?