On October 14, 2014, a significant vulnerability in the design of Secure Sockets Layer (SSL) v3.0 was announced. This attack is commonly known as POODLE (Padding Oracle On Downgraded Legacy Encryption).
By default, the JSS specifies the use of Transport Layer Security (TLS) communication protocol but it does not explicitly disable any other protocols, including SSL v3.0. This article describes how to disable SSL v3.0 and only use TLS for connections to the JSS.
The jamfds binary v9.6 or earlier uses SSL v3.0 for connections from the JAMF Distribution Server (JDS) to the JSS and other JDS instances. Version v9.61 of the jamfds binary uses TLS instead of SSL v3.0.
To update the jamfds binary:
If you are using a JDS instance in your environment, you must download and install v9.61 of the jamfds binary before modifying the HTTPS connector for port 8443 in the server.xml file.
To modify the HTTPS connector for port 8443 in the server.xml file:
For more information about POODLE, see the Security Update.