Q Is PaperCut affected by the SSL 3.0 “Poodle” vulnerability (otherwise known as CVE-2014–3566)?
SSL 3.0 is an older protocol, now superseded by TLS. It will generally only be used when both the web server and the client cannot use a more recent TLS protocol. These days, this scenario is becoming less and less common. For example, users would need to be on a browser no more recent than Internet Explorer 6. It is possible, however that a man-in the middle attacker could intercept the protocol negotiation and force a downgrade to SSL 3.0.
In the case of HTTPS connections to the the PaperCut server, TLS is always used if the client permits, however SSL 3.0 will be negotiated if TLS is not supported by the client.
Some customers may prefer to prevent the PaperCut server from accepting SSL 3.0 incoming connections altogether. This may be achieved using the latest PaperCut MF 14.2 build 28942, and also the PaperCut NG & MF 14.3 release (due out mid-Oct-2014). Add the following line to your
server.properties file and restart the application server:
Take care and test thoroughly if you are running a fleet of MFD devices with PaperCut MF. Whilst some MFD’s do not support all TLS versions, most will support TLS v1.0. It is possible that some older MFD’s may require SSL 3.0 and the above configuration change will block HTTPS connections from these devices.
More information on Poodle, can be found here: