-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Note on CVE-2014-3566 - SSL 3.0 support in Apache CXF, aka the "POODLE" attack:

The SSL protocol 3.0 uses non-deterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain clear text data via a padding-oracle
attack, aka the "POODLE" issue: https://access.redhat.com/articles/1232123

The problem with POODLE comes when the connection is downgraded to use SSL 3.0
when higher level TLS comms fail. If an attacker in the middle of a connection
can cause this failure then they may be able to force the browser to do
exactly what it’s designed to do – fall back to SSL 3.0 and try again.

Apache CXF disables support for SSLv3 by default for both clients, as well as
Jetty servers configured via CXF's HTTPJ namespace, from the 3.0.3 and 2.7.14
releases. To support SSLv3 it is necessary to specify "SSLv3" for the
"secureSocketProtocol" attribute, see the tls configuration link below.

References:

http://cxf.apache.org/security-advisories.html
https://issues.apache.org/jira/browse/CXF-6086
http://cxf.apache.org/docs/tls-configuration.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUkELkAAoJEGe/gLEK1TmDeCcH/RxLLkEr+oEcgWrYa4rKrMPq
Sw+62Hzpswi5zYHIH5p2pKuMN9WhvxqsBZKT6SoSHfJ28yvcbiBG78o49O/nLois
spUFTMSZAkdHAvg6G0gr5ODXCOxZyCQS9Tjf7cWfkne9sepIveP3RdHs75V+0C9u
bxMzkEYRc58ZUD6xDzoGsLhnm0jiIfkCg7sjKH/3j6eG3LV7Blj578GZZmAkRK4E
rNxGDX9X7LksdDXi4wB0RW5n3GKRj5WSf7rWgxJQOJ0Zde3WdNALyPxLW9+MN5NK
ZuXZ6SvJKKB33/cbyTBlti4PaFpG9D0T6KRvNwsqP42e9MPk/6V+ywR3aa4PU94=
=XS57
-----END PGP SIGNATURE-----