Novell Security Announcement: CVE-2014-3566 'POODLE' weakness in the SSL protocol

  • 7015777
  • 15-Oct-2014
  • 26-Jan-2015

Environment

NetIQ
Novell
SUSE

Situation

SSLv3 Fallback Protection “POODLE” vulnerability (CVE-2014-3566)

Severity: Medium

Version: OpenSSL 1.0.1, 1.0.0, 0.9.8

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt cipher text using a padding oracle side-channel attack.

OpenSSL Description: "Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE."

All products using OpenSSL version 1.0.1, 1.0.0, 0.9.8 are impacted.

Resolution

Our immediate recommendation is to disable SSLv3 for impacted products.  In current supported products that do not allow disablement of SSL, patches will be provided.

Status/Patching specifics by Product:

For SuSE Linux specifics, please see TID 7015773 -  The POODLE weakness in the SSL protocol (CVE-2014-3566)

Additional Information

Additional References:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
https://www.openssl.org/news/secadv_20141015.txt