Updated: March 19, 2015
On Thursday, October 16, 2014, a new vulnerability was announced in a commonly used, but older protocol called Secure Sockets Layer version 3 (SSL v3). Researchers formulated the Padding Oracle on Downloaded Legacy Encryption (POODLE) attack, which attempts to force the use of SSL v3 when visiting encrypted websites. The attacker may then be able to read some portions of the encrypted communication by exploiting known vulnerabilities in SSL v3.
There are two key parts to this vulnerability: the server/network side and the desktop/browser side.
Server/network protection: Ceridian has downloaded and applied updates for our Intrusion Prevention System (IPS) and Intrusion Detection Systems (IDS) to detect SSL v3 traffic and block any attempts to exploit SSL v3 vulnerabilities.
Ceridian has disabled SSL v3 traffic on Internet facing websites.
Desktop browser side protection: While Ceridian is taking an action to protect customer connections to the Ceridian's websites and products, customers should be aware that older browsers are vulnerable when used to access any web page that supports SSLv3. Therefore, customers should ensure they have updated to more current versions of their supported browsers; or manually disabled SSL v3 and enabled Transport Layer Security version 1 (TLSv1). All Ceridian webpage's support TLS v1.
For help with enabling TLS on IE, Firefox, and Chrome, click here.
Ceridian has addressed the POODLE vulnerability at the server/network level and applies patches from vendors as they become available.