Environment
Novell
SUSE
Situation
SSLv3 Fallback Protection “POODLE” vulnerability (CVE-2014-3566)
Severity: Medium
Version: OpenSSL 1.0.1, 1.0.0, 0.9.8
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt cipher text using a padding oracle side-channel attack.
OpenSSL Description: "Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE."
All products using OpenSSL version 1.0.1, 1.0.0, 0.9.8 are impacted.
Resolution
Our immediate recommendation is to disable SSLv3 for impacted products. In current supported products that do not allow disablement of SSL, patches will be provided.
Status/Patching specifics by Product:
Novell ZENworks: TID 7015826 - ZENworks Configuration Management Security Announcement: CVE-2014-3566 'POODLE' weakness in the SSL protocol
Novell Service Desk: TID 7015809 - Novell Service Desk Announcement: CVE-2014-3566 'POODLE' weakness in the SSL protocol
Novell Filr: TID 7015804- Novell Filr Security Announcement: CVE-2014-3566 'POODLE' weakness in the SSL protocol
Novell iPrint Appliance - TID 7015854 - Novell iPrint Announcement: CVE-2014-3566 'POODLE' weakness in the SSL protocol
Novell Open Enterprise Server: TID 7015793 - The Poodle SSLv3 vulnerability and its impact on Novell Open Enterprise Server
Novell GroupWise: TID 7015816 - Novell GroupWise and the Poodle SSLv3 Vulnerability
Novell GroupWise Mobility Service and Data Synchronizer:TID 7015791 - Novell Data Synchronizer / GroupWise Mobile Service and Poodle SSLv3 Vulnerability
Novell Messenger: TID 7015817 - Novell Messenger and the Poodle SSLv3 Vulnerability
Novell Vibe: TID 7015805 -Novell Vibe Security Announcement: CVE-2014-3566 'POODLE' weakness in the SSL protocol
Novell NetWare – See KB 7015837 - The Poodle SSLv3 vulnerability and its impact on NetWare 6.5 sp8
- NetIQ eDirectory and iManager: TID 7015785 - The Poodle SSLv3 vulnerability and its impact on eDirectory
- NetIQ Access Manager: TID 7015767 - HOWTO: disable SSL 3.0 to mitigate vulnerabilities caused by Poodle attack on that Protocol
- NetIQ Self Service Password Reset: TID 7015821 - The POODLE SSLv3 vulnerability and its impact on SSPR
- NetIQ Identity Manager: TID 7015788 The POODLE SSLv3 vulnerability and its impact on Identity Manager
- NetIQ Sentinel: SSL vulnerability CVE-2014-3566 'POODLE' on Sentinel
For SuSE Linux specifics, please see TID 7015773 - The POODLE weakness in the SSL protocol (CVE-2014-3566)