- Plesk for Linux
- Plesk for Windows
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses non-deterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack.
Call to Action
Check the vulnerability
By default on Linux, starting from Plesk 12.5 and higher, server is protected from this attack. On Windows it depends not on the Plesk version, but on the Windows version. Instructions and script for the check is under spoiler.
To do so, any Linux machine can be used that can establish connection to the server. To run the test, download and unpack poodle.sh and specify the ports list:
Connect to a Linux Server via SSH.
Download the archive with the script and extract it:
# wget https://plesk.zendesk.com/hc/article_attachments/360008398333/poodle.zip
# unzip poodle.zip
Launch the script with the list of ports to run the check. For example:
# for i in echo 21 587 443 465 7081 8443 993 995; do /bin/sh poodle.sh 203.0.113.2 $i; done
Note: Place the server IP instead of
If the server is vulnerable, then:
Log into the server via SSH and run the following command to disable SSLv3 for all services:
# plesk bin server_pref --update -ssl-protocols "TLSv1 TLSv1.1 TLSv1.2"
Use the IIS Crypto to disable SSL 3.0 protocol.