Ping Identity Security Team confirmed updates on all PingOne and PingID production, staging, test and third-party services affected by this vulnerability by removing affected ciphers and proposing a gradual removal of SSL v.3 as of yesterday (October 15, 2014). Ping Identity Site Reliability Team re-deployed Ping's entire hosted infrastructure with fresh instance versions containing disabled SSL v.3 or affected ciphers by 2:14 PM MST Wednesday afternoon. Security Operations has zero indications any systems were compromised, and are continuing to monitor the situation closely.

This attack specifically requires a combination of "man in the middle" network compromise to modify traffic in flight and a compromised browser and target resource. Generally, in a situation with these requirements, there are lots of bad things that can also happen, POODLE attacks being just one of them.

Customers running PingFederate on-premise may be at risk to the POODLE vulnerability if their configurations of PingFederate have SSL v.3 enabled. Ping Identity recommends disabling all compromised ciphers and SSL v.3 where possible. Any customers running older versions of Java are encouraged to check JCE and JDK official documentation for compromised ciphers and upgrade or disable ciphers where possible.

Ping Identity has confirmed that PingAccess 2.0.1 and higher is not affected by POODLE. Ping Identity recommends anyone using 2.0.0 and earlier to upgrade to latest versions of 2.x and 3.x versions.

For more detail see: https://ping.force.com/Support/PingIdentitySecurityBulletin?id=kA6400000004GU1CAM.

Details about the vulnerability can be found on the National Vulnerability Database website via Alert CVE-2014-3566: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566.

Ping Identity customers with concerns regarding issues related to CVE-2014-3566 are encouraged to open a ticket with our Global Support organization by contacting support@pingidentity.com.