I have a new install of Server 2012R2 and Exchange 2013 (no edge server roll installed and nothing else installed on this machine). We are failing our PCI compliance testing with the following failures:

osCommerce allowscross-site scripting

CVE-2003-1219

server is susceptible toBEAST attack

CVE-2011-3389

server is susceptible to SSL POODLE attack

CVE-2014-3566

I have disabled the reg key for SSL 3.0 server, and I am still failing the POODLE vuln.  Can anyone help me with getting past these issues?

Hi,

According to your error, we need to disable SSL 3.0 .

Then we can reboot Exchange server and restart Exchange related transport services .

For more detailed steps, please refer to the below article:

http://blogs.technet.com/b/samdrey/archive/2014/10/17/vulnerability-in-ssl-3-0-poodle-attack-and-exchange-2010-or-exchange-2013.aspx

Best Regards,

David

 

• Marked as answer by Winnie LiangMicrosoft contingent staff, Moderator Wednesday, July 08, 2015 1:55 AM
• Unmarked as answer by RDWilderman 18 hours 33 minutes ago

Disabling SSL 3.0 solves the POODLE vulnerability. It is still susceptible to BEAST until TLS 1.0 is disabled. I do not believe you can disable TLS 1.0 and still have Exchange function properly. If anyone is aware of a fix for this, I would appreciate hearing about it.