Symptoms
It was found that it is possible to connect to XML RPC OpenAPI on OA or BA application using the outdated security protocols TLS v1.1 and SSL v3.
Cause
A custom IQXMLRPC library is used to establish a connection to XMLRPCD for both OA and BA servers. A Feature Request PFR-1247 was submitted to the developers to replace this library with a standard one that supports more recent protocols.
Resolution
Mitigation is not required. TLS v1.1 does not contain any known protocol-wide vulnerabilities. SSL v3 is known to be insecure because of POODLE attack. This type of attack is relevant to a scenario where the attacker can run JavaScript in victim's browser and perform sniffing of encrypted traffic. These two requirements should be met, POODLE is an active attack (not passive one by only observing traffic on the wire). Through POODLE attack, the attacker can decrypt the part of SSL-protected traffic.
As XML RPC has no browser components, an attacker does not have the possibility to influence client's traffic. Therefore the PUDDLE attack cannot be applied for XML RPC case.