CVE-2014-8730 "Poodle for TLS" vulnerability
FortiOS 5.2.2, 5.2.1, 5.2.0, 5.0.10 and lower running on a hardware appliance when all the following conditions are met:
- FortiGate models with accelerated CP processors
- The SSL connection is using TLS v1.0, v1.1 or v1.2
- The SSL ciphers are CBC
- Only the following features are affected: virtual server with SSL, SSL offload, explicit-proxy SSL,
transparent-proxy SSL, web-cache SSL, Wan Opt SSL and SIP SSL
All versions of Fortigate VM, FortiOS 5.4 branch, FortiOS 5.6 branch and next releases are not vulnerable.
FortiOS 5.0 branch users must upgrade to 5.0.11 or higher.
FortiOS 5.2.0 branch customers must upgrade to 5.2.3 or higher.
The customers running FortiOS 5.2.2, 5.2.1, 5.2.0, 5.0.10 and lower under all conditions met as per the affected product section can apply the following workaround:
config system global
set virtual-server-hardware-acceleration disable
Note: The performance impact may be significant.
To protect devices with a FortiGate, the following IPS signature blocks any attack attempt and is available since IPS update 5.587: TLS.Padding.Oracle.Information.Disclosure