CVE-2014-3566
Description
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-3566
Vendor advisory: secalert@redhat.com — https://www.openssl.org/~bodo/ssl-poodle.pdf
Vendor advisory: secalert@redhat.com — https://www.openssl.org/news/secadv_20141015.txt
Vendor advisory: secalert@redhat.com — https://technet.microsoft.com/library/security/3009008.aspx
Vendor advisory: secalert@redhat.com — https://support.apple.com/kb/HT6542
Vendor advisory: secalert@redhat.com — https://support.apple.com/kb/HT6541
Vendor advisory: secalert@redhat.com — https://support.apple.com/kb/HT6536
Vendor advisory: secalert@redhat.com — https://support.apple.com/kb/HT6535
Vendor advisory: secalert@redhat.com — https://support.apple.com/kb/HT6531
Vendor advisory: secalert@redhat.com — https://support.apple.com/kb/HT6529
Vendor advisory: secalert@redhat.com — https://support.apple.com/kb/HT6527
Vendor advisory: secalert@redhat.com — https://support.apple.com/HT205217
Vendor advisory: secalert@redhat.com — http://www.ubuntu.com/usn/USN-2487-1
Vendor advisory: secalert@redhat.com — http://www.ubuntu.com/usn/USN-2486-1
Vendor advisory: secalert@redhat.com — http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Vendor advisory: secalert@redhat.com — http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
Vendor advisory: secalert@redhat.com — http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2014-3566.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
| freebsd | 5.1.1 | affected | |
| freebsd | 5.1.2 | affected | |
| freebsd | 5.1.3 | affected | |
| freebsd | 5.1.4 | affected | |
| freebsd | 5.2 | affected | |
| freebsd | 5.2.1 | affected | |
| freebsd | 5.2.2 | affected | |
| freebsd | 6.0 | affected | |
| freebsd | 6.0.1 | affected | |
| freebsd | 6.0.2 | affected | |
| freebsd | 6.0.3 | affected | |
| freebsd | 6.0.4 | affected | |
| freebsd | 6.0.5 | affected | |
| freebsd | 6.0.6 | affected | |
| freebsd | 6.1 | affected | |
| freebsd | 6.1.1 | affected | |
| freebsd | 6.1.2 | affected | |
| freebsd | 6.1.3 | affected | |
| freebsd | 6.1.4 | affected | |
| freebsd | 6.1.5 | affected | |
| debian | 7.0 | affected | |
| debian | 8.0 | affected | |
| macos | affected | | |
| suse | 11.0 | affected | |
| suse | 12.0 | affected | |
| suse | 12.3 | affected | |
| suse | 13.1 | affected | |
| rhel | 5 | affected | |
| rhel | 6.0 | affected | |
| rhel | 7.0 | affected | |
| fedora | 19 | affected | |
| fedora | 20 | affected | |
| fedora | 21 | affected | |
| freebsd | 5.1 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| novell | suse_linux_enterprise_software_development_kit | 11.0 | |
| novell | suse_linux_enterprise_software_development_kit | 12.0 | |
| openssl | openssl | 0.9.8 | |
| openssl | openssl | 0.9.8a | |
| openssl | openssl | 0.9.8b | |
| openssl | openssl | 0.9.8c | |
| openssl | openssl | 0.9.8d | |
| openssl | openssl | 0.9.8e | |
| openssl | openssl | 0.9.8f | |
| openssl | openssl | 0.9.8g | |
| openssl | openssl | 0.9.8h | |
| openssl | openssl | 0.9.8i | |
| openssl | openssl | 0.9.8j | |
| openssl | openssl | 0.9.8k | |
| openssl | openssl | 0.9.8l | |
| openssl | openssl | 0.9.8m | |
| openssl | openssl | 0.9.8n | |
| openssl | openssl | 0.9.8o | |
| openssl | openssl | 0.9.8p | |
| openssl | openssl | 0.9.8q | |
| openssl | openssl | 0.9.8r | |
| openssl | openssl | 0.9.8s | |
| openssl | openssl | 0.9.8t | |
| openssl | openssl | 0.9.8u | |
| openssl | openssl | 0.9.8v | |
| openssl | openssl | 0.9.8w | |
| openssl | openssl | 0.9.8x | |
| openssl | openssl | 0.9.8y | |
| openssl | openssl | 0.9.8z | |
| openssl | openssl | 0.9.8za | |
| openssl | openssl | 0.9.8zb | |
| openssl | openssl | 1.0.0 | |
| openssl | openssl | 1.0.0a | |
| openssl | openssl | 1.0.0b | |
| openssl | openssl | 1.0.0c | |
| openssl | openssl | 1.0.0d | |
| openssl | openssl | 1.0.0e | |
| openssl | openssl | 1.0.0f | |
| openssl | openssl | 1.0.0g | |
| openssl | openssl | 1.0.0h | |
| openssl | openssl | 1.0.0i | |
| openssl | openssl | 1.0.0j | |
| openssl | openssl | 1.0.0k | |
| openssl | openssl | 1.0.0l | |
| openssl | openssl | 1.0.0m | |
| openssl | openssl | 1.0.0n | |
| openssl | openssl | 1.0.1 | |
| openssl | openssl | 1.0.1a | |
| openssl | openssl | 1.0.1b | |
| openssl | openssl | 1.0.1c | |
| openssl | openssl | 1.0.1d | |
| openssl | openssl | 1.0.1e | |
| openssl | openssl | 1.0.1f | |
| openssl | openssl | 1.0.1g | |
| openssl | openssl | 1.0.1h | |
| openssl | openssl | 1.0.1i | |
| ibm | vios | 2.2.0.10 | |
| ibm | vios | 2.2.0.11 | |
| ibm | vios | 2.2.0.12 | |
| ibm | vios | 2.2.0.13 | |
| ibm | vios | 2.2.1.0 | |
| ibm | vios | 2.2.1.1 | |
| ibm | vios | 2.2.1.3 | |
| ibm | vios | 2.2.1.4 | |
| ibm | vios | 2.2.1.5 | |
| ibm | vios | 2.2.1.6 | |
| ibm | vios | 2.2.1.7 | |
| ibm | vios | 2.2.1.8 | |
| ibm | vios | 2.2.1.9 | |
| ibm | vios | 2.2.2.0 | |
| ibm | vios | 2.2.2.1 | |
| ibm | vios | 2.2.2.2 | |
| ibm | vios | 2.2.2.3 | |
| ibm | vios | 2.2.2.4 | |
| ibm | vios | 2.2.2.5 | |
| ibm | vios | 2.2.3.0 | |
| ibm | vios | 2.2.3.1 | |
| ibm | vios | 2.2.3.2 | |
| ibm | vios | 2.2.3.3 | |
| ibm | vios | 2.2.3.4 | |
| oracle | database | 11.2.0.4 | |
| oracle | database | 12.1.0.2 | |
References
- https://www.suse.com/security/cve/CVE-2014-3566.html
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc
- http://advisories.mageia.org/MGASA-2014-0416.html
- http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.asc
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
- http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
- http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html
- http://blog.nodejs.org/2014/10/23/node-v0-10-33-stable/
- http://blogs.technet.com/b/msrc/archive/2014/10/14/security-advisory-3009008-released.aspx
- http://docs.ipswitch.com/MOVEit/DMZ82/ReleaseNotes/MOVEitReleaseNotes82.pdf
- http://downloads.asterisk.org/pub/security/AST-2014-011.html
- http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
- http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04583581
- http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-November/142330.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141114.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141158.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169361.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169374.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00001.html
CWEs
CWE-310
Verify integrity in audit chain (admin only). AS-IS.