This article describes how to disable Secure Sockets Layer version 3 (SSLv3) on Customer Voice Portal (CVP) in order to resolve the Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability issue.
Contributed by Natalia Fuentes Fuentes, Cisco TAC Engineer.
Cisco recommends that you have knowledge of these topics:
Cisco Unified Contact Center Enterprise (UCCE)
Transport Layer Security (TLS) and its predecessor, SSL
Internet Information Services (IIS) Web Server
The information in this document is based on these software and hardware versions:
CVP 10.0(1) and 10.5(1)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
CVP could be affected by POODLE vulnerability.
POODLE is an SSLv3 protocol vulnerability and it allows attackers to:
Downgrade SSL/TLS protocol to version SSLv3
Break the cryptographic security
Step 1. From the Windows Start menu, select Start > Control Panel > Administrative Tools > Services.
Highlight the services:
Cisco CVP Voice External Markup Language (VXML) Server
CVP Operations Console
Cisco CVP WebServicesManager
Click Stop the service link in the upper left corner of the screen.
Step 2. Backup the server.xml file for the Unified CVP components located in the path.