Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-3566

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2014-3566
Last Modified 18 Sep 2015 09:59:24
Published 14 Oct 2014 08:55:02
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-3566

Summary

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Vulnerable Systems

Application

  • Openssl 1.0.0

  • Openssl 1.0.0a

  • Openssl 1.0.0b

  • Openssl 1.0.0c

  • Openssl 1.0.0d

  • Openssl 1.0.0e

  • Openssl 1.0.0f

  • Openssl 1.0.0g

  • Openssl 1.0.0h

  • Openssl 1.0.0i


References

MISC - https://www.openssl.org/~bodo/ssl-poodle.pdf

MISC - http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

MISC - https://www.imperialviolet.org/2014/10/14/poodle.html

MISC - https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html

CONFIRM - https://technet.microsoft.com/library/security/3009008.aspx

CONFIRM - https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1152789

CONFIRM - https://bugzilla.mozilla.org/show_bug.cgi?id=1076983

CONFIRM - https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

CONFIRM - https://access.redhat.com/articles/1232123

CONFIRM - http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3566.html

MLIST - [openssl-dev] 20141014 Patch to mitigate CVE-2014-3566 ("POODLE")

CONFIRM - http://blogs.technet.com/b/msrc/archive/2014/10/14/security-advisory-3009008-released.aspx

MISC - http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html

MISC - http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566

CONFIRM - https://www.suse.com/support/kb/doc.php?id=7015773

CONFIRM - https://support.apple.com/kb/HT6542

CONFIRM - https://support.apple.com/kb/HT6541

CONFIRM - https://support.apple.com/kb/HT6536

CONFIRM - https://support.apple.com/kb/HT6535

APPLE - APPLE-SA-2014-10-20-1

APPLE - APPLE-SA-2014-10-20-2

CISCO - 20141014 SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

APPLE - APPLE-SA-2014-10-16-3

APPLE - APPLE-SA-2014-10-16-1

CONFIRM - https://support.apple.com/kb/HT6531

CONFIRM - https://support.apple.com/kb/HT6529

CONFIRM - https://support.apple.com/kb/HT6527

CONFIRM - https://bto.bluecoat.com/security-advisory/sa83

SECTRACK - 1031123

SECTRACK - 1031107

SECTRACK - 1031106

SECTRACK - 1031105

SECTRACK - 1031096

SECTRACK - 1031095

SECTRACK - 1031094

SECTRACK - 1031093

SECTRACK - 1031092

SECTRACK - 1031091

SECTRACK - 1031090

SECTRACK - 1031089

SECTRACK - 1031088

SECTRACK - 1031087

SECTRACK - 1031086

SECTRACK - 1031085

SECTRACK - 1031039

SECTRACK - 1031029

BID - 70574

APPLE - APPLE-SA-2014-10-16-4

MANDRIVA - MDVSA-2014:203

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21687172

SECUNIA - 61827

SECUNIA - 61825

SECUNIA - 61810

SECUNIA - 61782

SECUNIA - 61359

SECUNIA - 61345

SECUNIA - 61303

SECUNIA - 61019

SECUNIA - 60792

SECUNIA - 60056

CERT - TA14-290A

CERT-VN - VU#577193

CONFIRM - https://www.openssl.org/news/secadv_20141015.txt

DEBIAN - DSA-3053

REDHAT - RHSA-2014:1692

REDHAT - RHSA-2014:1652

HP - HPSBUX03162

HP - SSRT101767

HP - HPSBHF03156

HP - HPSBMU03152

SUSE - openSUSE-SU-2014:1331

CONFIRM - https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6

SECTRACK - 1031132

SECTRACK - 1031131

SECTRACK - 1031130

SECTRACK - 1031124

SECTRACK - 1031120

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21687611

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21686997

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=isg3T1021439

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=isg3T1021431

CONFIRM - http://support.citrix.com/article/CTX200238

SECUNIA - 61995

SECUNIA - 61926

SECUNIA - 61819

SECUNIA - 61316

SECUNIA - 61130

SECUNIA - 60859

SECUNIA - 60206

SECUNIA - 59627

REDHAT - RHSA-2014:1653

SUSE - SUSE-SU-2014:1361

SUSE - SUSE-SU-2014:1357

FEDORA - FEDORA-2014-13012

FEDORA - FEDORA-2014-13069

FEDORA - FEDORA-2014-12951

CONFIRM - http://blog.nodejs.org/2014/10/23/node-v0-10-33-stable/

CONFIRM - http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.asc

CONFIRM - http://advisories.mageia.org/MGASA-2014-0416.html

NETBSD - NetBSD-SA2014-015

CONFIRM - https://groups.google.com/forum/#!topic/docker-user/oYm0i3xShJU

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21688283

HP - HPSBGN03209

HP - HPSBGN03202

HP - HPSBGN03203

HP - HPSBGN03201

HP - HPSBMU03214

CONFIRM - http://downloads.asterisk.org/pub/security/AST-2014-011.html

CONFIRM - https://www-01.ibm.com/support/docview.wss?uid=swg21688165

REDHAT - RHSA-2014:1920

REDHAT - RHSA-2014:1882

REDHAT - RHSA-2014:1881

REDHAT - RHSA-2014:1880

REDHAT - RHSA-2014:1877

REDHAT - RHSA-2014:1876

REDHAT - RHSA-2014:1948

HP - HPSBGN03205

SUSE - SUSE-SU-2014:1549

SUSE - SUSE-SU-2014:1526

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

CONFIRM - http://support.apple.com/HT204244

APPLE - APPLE-SA-2015-01-27-4

DEBIAN - DSA-3147

DEBIAN - DSA-3144

HP - HPSBST03265

HP - SSRT101951

HP - SSRT101899

HP - SSRT101854

HP - SSRT101838

HP - HPSBGN03222

UBUNTU - USN-2487-1

UBUNTU - USN-2486-1

HP - SSRT101894

HP - SSRT101928

HP - SSRT101896

HP - SSRT101898

HP - SSRT101897

HP - SSRT101779

HP - SSRT101849

SUSE - SUSE-SU-2015:0392

SUSE - SUSE-SU-2015:0376

SUSE - SUSE-SU-2015:0345

SUSE - SUSE-SU-2015:0344

SUSE - SUSE-SU-2015:0336

SUSE - openSUSE-SU-2015:0190

REDHAT - RHSA-2015:0264

REDHAT - RHSA-2015:0086

REDHAT - RHSA-2015:0085

REDHAT - RHSA-2015:0080

REDHAT - RHSA-2015:0079

REDHAT - RHSA-2015:0068

HP - SSRT101921

HP - SSRT101916

HP - HPSBMU03259

HP - SSRT101922

HP - HPSBMU03267

HP - SSRT101968

HP - SSRT101868

HP - HPSBUX03281

SUSE - SUSE-SU-2015:0503

REDHAT - RHSA-2015:0698

HP - SSRT101846

HP - SSRT101998

SUSE - SUSE-SU-2015:0578

HP - SSRT101790

CONFIRM - http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0

MANDRIVA - MDVSA-2015:062

HP - SSRT101795

HP - HPSBMU03304

HP - HPSBST03195

HP - HPSBHF03300

BUGTRAQ - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

MISC - http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html

HP - SSRT101892

DEBIAN - DSA-3253

HP - SSRT101834

CONFIRM - https://www.elastic.co/blog/logstash-1-4-3-released

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

REDHAT - RHSA-2015:1546

REDHAT - RHSA-2015:1545

CONFIRM - https://support.apple.com/HT205217

APPLE - APPLE-SA-2015-09-16-2

Related Patches

SUN122911-34 Solaris 10 SPARC: Apache 1.3 Patch

SUN122912-34 Solaris 10 x86: Apache 1.3 Patch

SUN143506-10 Solaris 10 SPARC: GNOME 2.6.0: Python patch

SUN143507-10 Solaris 10 x86: GNOME 2.6.0: Python patch

SUN145080-15 Solaris 10 SPARC: Firefox patch

SUN145081-14 Solaris 10 x86: Firefox patch

SUN148071-15 Solaris 10 SPARC: openssl patch

SUN148072-15 Solaris 10 x86: openssl patch

Apple 2014-005 Security Update for Mac OS X 10.8.5 (HT6531)

Apple 2014-005 Security Update for Mac OS X 10.9.5 (HT6531)

Apple 2015-001 Security Update for Mac OS X 10.8.5 (HT204244)

Apple 2015-001 Security Update for Mac OS X 10.9.5 (HT204244)

Oracle Java SE Runtime Environment (JRE) 7 Update 75 for Mac OS X

Oracle Java SE Runtime Environment (JRE) 8 Update 31 for Mac OS X

Apple Yosemite 10.10.2 Update (Combo) for Mac OS X (HT204244) (Rev 2)

Apple Yosemite 10.10.2 Update for Mac OS X (HT204244)


Last Updated: 27 May 2016 11:08:20