In the wake of the Poodle vulnerability, our security teams have flagged our ESXi hosts for using SSLv3 for the traffic going over the web-interface, on port 443.
Is there any way to disable the use of SSL v3 in the ESXi web server? I've looked for KBs explaining how to do this, but I found nothing.
I also had a quick look on the advanced settings and there was nothing there.
Am I missing something really obvious?
I've got a ticket into VMware asking the same. Qualys flagged all our hosts as vulnerable, but the VMware KB article makes it sound like more of a client side vulnerability then a server side.
Is there any patch which contain the fix already available ?
regarding this CVE the POODLE attack is an attack against the client browser NOT against the server side...
So only one way at this time to mitigate this issue is disabling SSL v3 in your browser.(this would enforce the client-server communication to TLS)
For more info see:
VMware KB: VMware Products and CVE-2014-3566 (POODLE)
VMware is planning to phase out the support of SSL v3 in its products during the next available maintenance releases.
Just a heads up I've been waiting for a patch for some time as well for both the vCenter server and ESXi. I just tried the vCenter update 2e that was just released and unfortunately they didn't do anything about it in this release either nevermind for ESXi...
It's fixed with 6.0. That pretty much forced me to upgrade (in order to maintain PCI DSS compliance).