Using VMware Horizon View and an External Security Server? You may be vulnerable to “Poodle” (CVE-2014-3566)!
VMware has released several KB’s on the issue.
In regards to Horizon, 5.3.3’s release notes clearly state that the Blast Secure Gateway and View Agent Direct Connection feature have had SSLv3 disabled. What it doesn’t tell you, is that the PCOIP secure gateway has not had this setting change.
According to KB 2094442 above:
The PCoIP Secure Gateway (PSG) provides secure connections to a security server or View Connection Server over PCoIP. The PSG listens on port 4172 by default. This gateway is not configurable. However, the PSG only accepts connections over PCoIP, and only clients running Horizon Client software can connect to the PSG. Browsers cannot access the PSG.
Great! Except my PCI External Scan still detects SSLv3 on port 4172, so it is telling me I have a “PCI Fail”.
My only options are to file a “false positive” request with the scanner based on the information in the KB or VMware could actually just remove SSLv3 and help us get back to work.