POODLE Vulnerability

United States
North America

Canada (FR)

Canada (EN)

Mexico

United States

South America

Argentina

Brasil

Chile

Colombia
Europe

Belgium (FR)

Belgium (NL)

Česká republika

Denmark

Europe

Suomi

France

Deutschland

Hebrew

Hungary (EN)

Hungary (HU)

Ireland

Italia

Nederland

Norge

Polska

Россия

España

Sverige

Schweiz

Türkiye

United Kingdom
Middle East / Africa

Middle East, North Africa

Africa

Asia / Pacific

Australia / New Zealand

中国

Greater Asia

India

Indonesia

日本

Korea

Malaysia

Philippines

Singapore

Thailand

Vietnam
Login

Nov 11, 2014

Bulletins

External statement on SSL 3.0 protocol vulnerability and the POODLE attack

The U.S. Computer Emergency Readiness Team (US-CERT), a division of the U.S. Department of Homeland Security (DHS), recently released a security advisory that all systems and applications using Secure Sockets Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable to an attack. It advised that the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios. The Google security team that discovered this vulnerability in September 2014 has stated that they do not consider the POODLE attack to be as serious as the Heartbleed or Shellshock attacks.

BD is following the recommendation from US-CERT to disable SSL 3.0 on our hosted web service solutions. This will only affect customers who use outdated web browsers, such as Internet Explorer (IE) 6.0 or older. However, BD previously communicated with customers that the company will no longer support IE 6.0 as of October 1, 2014, so we expect minimal impact to customers.

For any customer using IE, BD recommends following the suggested actions in the Microsoft® advisory instructions or using an alternate web browser that supports the Transport Layer Security (TLS) protocol.

To change the default protocol version to be used for HTTPS requests, Microsoft recommends:

On the IE Tools menu, click Internet Options.
In the Internet Options dialog box, click the Advanced tab.
In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1 and Use TLS 1.2(if available).
Click OK.
Exit and restart.

For any customer using Google Chrome or Mozilla Firefox, BD recommends following the suggested actions in Disabling Browser Support for the SSL 3.0 Protocol.

After BD disabled SSL 3.0 on our systems, we can confirm that these customer-facing hosted web service solutions are secure from the SSL 3.0 and POODLE attack vulnerability:

Axeda and Bomgar Remote Support Services (RSS) and access platforms for Alaris™ and Pyxis™ technologies
BD Customer Portal, available for Pyxis technologies customers at cp.carefusion.com
Knowledge Portal analytics solutions for infusion technologies, Pyxis medication and supply technologies, and ventilator therapy
External Identity Manager (EIM), at eim.carefusion.com
MedMined™ Surveillance Advisor
Respiratory diagnostics eStore, at store.carefusion.com/respiratorydiagnostics
The supplier and distributor communication portal, at vision.carefusion.com
Teamviewer RSS for ventilation technologies
V. Mueller™ online catalog, at vision.carefusion.com