Informatica’s Response To the POODLE SSL v3 Vulnerability
The information security industry is an “arms race”, with attacks always getting better. To that end, it’s important that security controls and implementations be designed with flexibility and agility in mind. The SSL protocol was originally developed by Netscape Communications, the company that helped fuel the Internet generation. For the past 20 years, we’ve seen advancement in computing power and and novel new attacks against SSL implementations. As new vulnerabilities are discovered, enhancements are proposed and TLS was developed to replace SSL. The cycle continues…we’re now at TLS 1.2, and with this “POODLE” vulnerability it’s finally time to say goodbye forever to the SSL foundations that brought us here.
The recent announcement of POODLE should be another wake-up call to security practitioners and implementors that patches and updates are now the “New Normal” for infrastructure that handles sensitive data. Even foundational protocols like SSL require care and feeding, regular maintenance and updates. For Informatica customers, this note is our response to help you keep your software patched via important updates provided by our Global Customer Support organization.
1 – What you need to know
On October 14, 2014 Google security researchers released details of a vulnerability within the design of SSL version 3 protocol. An attacker in a privileged position on a network could intercept encrypted traffic and methodically decrypt the messages to reveal sensitive information such as credentials. This is an industry-wide issue, affecting nearly every system that implements or supports SSL. TLS is its replacement, but not every product is guaranteed compatible with an SSL -> TLS upgrade so patches need to be applied and tested carefully.
Informatica’s cloud-hosted products including Informatica Cloud Services (ICS) and our recently-launched Project Springbok beta, have already been patched to address this issue and will only support TLS going forward. We continue to monitor for relevant updates to both vulnerabilities and available patches.
Because this vulnerability affects connectivity to other systems, it is important that our customers carefully assess (a) the level of risk they are actually subject to, and (b) the impact disabling SSLv3 will have against other clients, servers, and API endpoints in their ecosystem. It may be acceptable, for example, to leave SSLv3 enabled if sufficient compensating controls are enforced and the risk of change is too great.
2 – What you need to do
Informatica’s Information Security team coordinated an internal response with developers to assess the vulnerability within our products and cloud services.
Some Informatica products require patches or configuration changes to be able to address this SSL parameter tuning capability. Please contact Informatica Global Customer Support or your account executive for more information or technical questions.
Informatica cloud-based services were patched by our operations team. Please check that your connectivity to these services is operating normally, especially any SSL or TLS settings.
|Cloud Service||Version||Patch / Remediation|
|Springbok||Beta||No action necessary. The Springbok infrastructure has been patched by Informatica Cloud Operations.|
|ActiveVOS/Cloud||All||No action necessary. The ActiveVOS/Cloud infrastructure has been patched by Informatica Cloud Operations.|
|Cloud/ICS||All||No action necessary. The ICS infrastructure has been patched by Informatica Cloud Operations.|
Informatica takes the security of our customers’ data very seriously. Please refer to this Informatica’s Knowledge Base article, or contact our Global Customer Support team if you have any questions or concerns about our product SSL configurations in your environment. The Informatica support portal is always available at http://mysupport.informatica.com.
3 – How to contact Informatica about security
If you are security researcher and have identified a potential vulnerability in an Informatica product or service, please follow our Responsible Disclosure Program.