Important Information about POODLE Vulnerability (CVE-2014-3566)

Publish Time: 2014-10-28 00:00:00 UTC+8

Last Updated: UTC+8

Status
Resolved

Description

A vulnerability in version 3 of the SSL encryption protocol (SSL 3.0) was disclosed. This vulnerability, commonly referred to as POODLE, allows an attacker to decipher the plain text content of an SSL 3.0 encrypted message using a man-in-the-middle attack.

POODLE is a vulnerability affecting all servers and browsers worldwide using the SSL 3.0 protocol, including DSM. Due to the nature of the exploit (which requires a deliberate man-in-the-middle attack), the severity of this vulnerability is not considered critical. Synology is unaware of any cases at this time.

First-step solution

Since encryption is negotiated between clients and servers, POODLE is a vulnerability that involves both parties. It is suggested to update any clients that use the SSL protocol, such as browsers and email clients.

Most browsers automatically attempt to connect via SSL 3.0 when the servers do not support advanced TLS protocol. For an official statement on how to disable SSL 3.0 on commonly used browsers, please consult the reference links below:

Update availability

The fix has been implemented in DSM 5.1. Updates are also available on DSM 5.0 4627-02 for EDS14 and DSM 5.0 4528-02 for all other DSM 5.0 compatible models. To apply the fix for this vulnerability, please go to DSM > Control Panel > Update & Restore> DSM Update and install the latest updates. Completing this update will automatically restart your system.