Posted: November 4, 2014
A vulnerabilty has been found in SSL 3.0 specific to the way padding is handled for block-mode ciphers. Authors of the POODLE attack have shown how information encrypted in SSL 3.0 can be recovered/decrypted by exploiting this design flaw.
Official versions of VShell 4.0.5 and SecureCRT/SecureFX 7.3.1 will be released in the near future to address this vulnerability for connection protocols that rely on SSL/TLS. To receive pre-release versions of these products which disable SSL 3.0 protocol negotiation, please contact VanDyke Software technical support: email@example.com
Products NOT Affected
Wherever possible, SSL 3.0 should be disabled. Legacy clients/servers that only support SSL 3.0 should be updated to support TLS protcol versions that aren't vulnerable.
SecureCRT and SecureFX 7.3.1 and newer versions for all supported platforms will not allow SSLv3 in any Telnet/SSL or FTPS protocol negotiations.
We recommend that individuals running SecureCRT/SecureFX versions prior to 7.3.1 who depend on FTPS or Telnet/SSL connectivity upgrade to version 7.3.1 or newer as soon as possible.
VShell FTPS version 4.0.5 and newer for all supported platforms will not allow SSLv3 in any FTPS protocol negotiations.
We recommend that individuals running VShell FTPS versions prior to 4.0.5 upgrade to version 4.0.5 or newer as soon as possible.
CERT published an advisory on this vulnerability on October 17, 2014.