Is CVE-2016-0800 affecting Casper Suite?

akselzip
New Contributor

Has anyone found any information on if this is affecting iOS and OSx users in any way?
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800

3 REPLIES 3

thoule
Valued Contributor II

This issue relates to servers/services provided over SSL2. Hopefully, you've switched your server to TLS only. I dropped SSL2 when I dropped SSL3 due to Poodle. If your server supports SSL2, then it may be vulnerable.

jason_vanzanten
New Contributor III

@akselzip: As @thoule points out, it looks like this issue is related to SSLv2 as used in certain versions of OpenSSL.

First, the JAMF Distribution Server (JDS) and NetBoot/SUS Appliance still rely on OpenSSL for cryptography, but other JAMF Software products do not, as outlined in the discussion about the Heartlbeed vulnerability from April 2014:

Security Update: Heartbleed Bug Vulnerability in OpenSSL

Next, as @thoule mentions, support for SSLv2 was disabled as part of the fix for the SSLv3 POODLE vulnerability in October 2014:

Security Update: SSL version 3.0 "POODLE" Vulnerability
Mitigating the SSL v3.0 POODLE Vulnerability

Finally, we recommend applying the latest patches to servers that are running the JDS and NetBoot/SUS Appliance, and disabling support for SSLv2 and SSLv3 on any servers that are running JSS v9.6 or earlier and/or any load balancers or proxies that you may be using in your environment. Starting with JSS v9.61, only TLS has been supported by default.

akselzip
New Contributor

Thanks for the information, that was really helpful!