SAP Knowledge Base Article - Public

2116506 - SuccessFactors and Poodle - Platform Services & Tools

Symptom

Environment

  • Platform Services & Tools

Resolution

  • What is POODLE? It stands for “Padding Oracle On Downgraded Legacy Encryption.” This vulnerability allows the plain text of secure connections to be calculated by a network attacker. For further detail, please refer to advisory: https://www.us-cert.gov/ncas/alerts/TA14-290A and vulnerability summary: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566.
     
  • The vulnerability caused by POODLE can only be resolved by disabling support for the SSLv3.0 protocol. Disabling SSLv3.0 will impact all those customers still using older versions of browsers that communicate only with SSLv3.0 and lower protocols (IE6 among them).  As there is no patch or effective mitigating control that can be implemented, the only way to protect our customers’ data and our systems appropriately is to discontinue the use of SSLv3.0.
     
  • All customers still using older versions of browsers MUST upgrade or they will lose access to their SuccessFactors applications. It is up to our customers to determine which browser meets their security (and business) needs.
     
  • As communicated earlier, we’ve permanently disabled SSLv3.0 support on November 9, 2014.
  • On December 8, 2014, it was publicly reported that some Transport Layer Security (TLS) Protocol implementations are also vulnerable to the POODLE. For further information please refer to advisory: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730. We are aware of this issue and are currently testing a patch provided by our vendor. Upon successful completion of the tests, which we expect to be around January 18, 2015, we will implement the patch.

Keywords

KBA , LOD-SF-PLT , Foundational Capabilities & Tools , How To

Product

SAP SuccessFactors HCM Core all versions