Security Message

**Security / Technical Update**    

Following industry best practice and to maintain a high standard of system security, we will be discontinuing support for the TLSv1.0 internet protocol on April 7th, 2018 on VWR.com.  After this date, our websites will only support PCI-compliant versions of TLS (1.1, 1.2).  We do not anticipate any customer disruption with this change; however, as a precaution, please share this message with your IT & eProcurement system resources.

Migrating from SSL and Early TLS

 

Dear Valued Customer,

Due to a publically disclosed vulnerability in SSL v3 (nicknamed Poodle), VWR will be discontinuing support for the SSL v3 protocol on a date (to be determined) within the near future. SSLv3 is largely obsolete, but it is important for any organizations still using this protocol to be aware of a security flaw that was revealed on October 14th by the Google Security team. A detailed summary of this vulnerability is available via the following links: https://www.openssl.org/~bodo/ssl-poodle.pdf and https://blogs.akamai.com/2014/10/ssl-is-dead-long-live-tls.html.

This vulnerability does not impact TLS, which is the recommended protocol that is already supported by VWR systems. Our VWR b2b punchout site supports TLS (up to version 1.2) and our b2b gateway for backend EDI/XML transactions supports TLS version 1.0 currently.

Please consult with your IS or Security teams to confirm that your servers are setup to only use the TLS protocol and that SSLv3 is disabled immediately. The best approach is for your technical team to enable this change at the server level as this will fully mitigate the existing security risk and help to ensure a smooth transition for all users. To disable SSLv3 at a client-side browser level, please see more information via this published link: http://tweaks.com/windows/67027/how-to-protect-ie-chrome-and-firefox-from-the-poodle-ssl-v3-exploit/

If your technical team does not implement a plan to migrate to a TLS protocol, then your punchout & other integrated ordering connections will not work once SSLv3 support is disabled on a planned date within the near future. This issue is subject to impact all of your b2b supplier connections, if not addressed accordingly in a timely fashion.

We will publish another communication in the near future to provide the exact date that VWR will fully disable support for SSLv3. If you have technical questions, please contact us soon as possible.

 

VWR B2B Support & Security Team