Today, a new attack on SSL v3 dubbed POODLE was published. We’ve reviewed the issue and concur with the community that the issue is similar to the BEAST attack published in 2011 but more practical.

Like the BEAST attack, to exploit this vulnerability the attacker must have the capability to run his javascript in the victim’s browser and to be able to Man-in-the-Middle the connection between the client and server.  At this time we view this as a browser-based attack and do not see direct relevance to VMware’s products.

We will shortly issue a VMware Knowledge Base (KB) article for POODLE with similar guidance to that found in our BEAST KB article.

10/15 Update
We’ve published VMware Knowledge Base 2092133 with the recommendation to disable SSL v3 in your browser.

10/16 Update
Over the next few days we will begin a structured roll out to explicitly deny SSL v3 connections on all VMware websites and services. We support industry recommendations on disabling SSLv3 and requiring TLS for encrypted communication.