We recently posted about the POODLE vulnerability, a flaw in the SSL 3.0 protocol that affects FTPS and HTTPS. This has now been addressed in the release of CompleteFTP 8.1.3, which disables SSL 3.0 by default. SSL 3 is superceded by TLS, and over 99% of clients should support TLS 1.0 or higher. Users should upgrade as soon as possible by uninstalling and reinstalling using the latest production installer, available now. It is worth clarifying how POODLE is exploited. It requires an attacker placing themselves in between the client and server. This is not easy to do for FTPS, and so POODLE is not a major issue for users of FTPS. However HTTPS is quite easy to exploit via a malicious site serving up Javascript thatĀ forces a fallback to SSL 3. Consequently, if HTTPS is enabled on your CompleteFTP server then you should upgrade as soon as possible. Announcements about our other products susceptible to POODLE (edtFTPnet/PRO and edtFTPj/PRO) will be made in due course. Again, if HTTPS is not being used then exploitation of POODLE is unlikely.