xTuple Response to POODLE vulnerability

Early this month, a new Internet-wide security vulnerability known as POODLE surfaced. This vulnerability affects the SSLv3 protocol. Although SSLv3 is rarely used in communications between the most up-to-date applications, it presents a security concern for people whose systems are not updated to the latest versions.

More from Wikipedia on POODLE and Authorize.net POODLE FAQs.

The xTuple Desktop client used SSLv3 in previous versions as one way of communicating with credit card gateways. As of version 4.3, we moved to a more up-to-date protocol. For those of you on version 4.3 and newer, you need to do nothing at all.

For users on xTuple version 4.2 and earlier, we recommend that you swap over to our *other* supported way of communicating with credit card gateways, which is not susceptible to the POODLE vulnerability. The following updater package will toggle the appropriate metric:

xtuple.github.io/security-patches/poodle.gz

It is especially important to apply this fix soon if you are using Authorize.net as your credit card gateway, because as of November 4, Authorize.net will refuse to accept connections over SSLv3, due to the POODLE vulnerability. If you are on xTuple version 4.3+, or if you've applied the above package by then, your communications will work without interruption.

Steve Hackbarth

Software Development at xTuple, July 2012 – February 2015

Specialties: The Javascript Stack: Enyo, Backbone, REST, Socket.io, Node.js, Express, Mocha, Zombie, plv8, Postgres, Mongo, git, vim, Ubuntu; The Java Stack: Java, Google Web Toolkit (with MVP, Bootstrap, GXT, and RequestFactory), Spring, Struts, Hibernate, jUnit, J2EE (Servlets, JSP), Eclipse, Objectify, Groovy, Maven, Google App Engine, MySQL