Vulnerability CVE-2014-3566


Published: 2014-10-14   Modified: 2014-10-15

Description:
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Type:

CWE-310

(Cryptographic Issues)

Vendor: Novell
Product: Suse linux enterprise desktop 
Version:
9.0
12.0
11.0
10.0
See more versions on NVD
Product: Opensuse 
Version: 13.1; 12.3;
Product: Suse linux enterprise server 
Version: 12.0; 11.0;
Product: Suse linux enterprise software development kit 
Version: 12.0; 11.0;
Vendor: Debian
Product: Debian linux 
Version: 8.0; 7.0;
Vendor: Redhat
Product: Enterprise linux desktop supplementary 
Version:
76.0
6.0
5.0
See more versions on NVD
Product: Enterprise linux workstation 
Version: 7.0; 6.0;
Product: Enterprise linux server 
Version: 7.0; 6.0;
Product: Enterprise linux desktop 
Version: 7.0; 6.0;
Product: Enterprise linux workstation supplementary 
Version: 7.0; 6.0;
Product: Enterprise linux server supplementary 
Version:
7.0
6.0
5.0
See more versions on NVD
Product: Enterprise linux 
Version: 5;
Vendor: IBM
Product: AIX 
Version:
7.1
6.1
5.3
See more versions on NVD
Product: VIOS 
Version:
2.2.3.4
2.2.3.3
2.2.3.2
2.2.3.1
2.2.3.0
2.2.2.5
2.2.2.4
2.2.2.3
2.2.2.2
2.2.2.1
2.2.2.0
2.2.1.9
2.2.1.8
2.2.1.7
2.2.1.6
2.2.1.5
2.2.1.4
2.2.1.3
2.2.1.1
2.2.1.0
2.2.0.13
2.2.0.12
2.2.0.11
2.2.0.10
See more versions on NVD
Vendor: Netbsd
Product: Netbsd 
Version:
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0
5.2.2
5.2.1
5.2
5.1.4
5.1.3
5.1.2
5.1.1
5.1
See more versions on NVD
Vendor: Oracle
Product: Solaris cluster 
Version: 4.2;
Product: Database 
Version: 12.1.0.2; 11.2.0.4;
Vendor: Mageia
Product: Mageia 
Version: 4.0; 3.0;
Vendor: Fedoraproject
Product: Fedora 
Version:
21
20
19
See more versions on NVD
Vendor: Apple
Product: Mac os x 
Version: 10.10.1;
Vendor: Openssl
Product: Openssl 
Version:
1.0.1i
1.0.1h
1.0.1g
1.0.1f
1.0.1e
1.0.1d
1.0.1c
1.0.1b
1.0.1a
1.0.1
1.0.0n
1.0.0m
1.0.0l
1.0.0k
1.0.0j
1.0.0i
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc
http://advisories.mageia.org/MGASA-2014-0416.html
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.asc
http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html
http://blog.nodejs.org/2014/10/23/node-v0-10-33-stable/
http://blogs.technet.com/b/msrc/archive/2014/10/14/security-advisory-3009008-released.aspx
http://docs.ipswitch.com/MOVEit/DMZ82/ReleaseNotes/MOVEitReleaseNotes82.pdf
http://downloads.asterisk.org/pub/security/AST-2014-011.html
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04583581
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-November/142330.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141114.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141158.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169361.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169374.html
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00024.html
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00033.html
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00036.html
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00018.html
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00066.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00000.html
http://marc.info/?l=bugtraq&m=141450452204552&w=2
http://marc.info/?l=bugtraq&m=141450973807288&w=2
http://marc.info/?l=bugtraq&m=141477196830952&w=2
http://marc.info/?l=bugtraq&m=141576815022399&w=2
http://marc.info/?l=bugtraq&m=141577087123040&w=2
http://marc.info/?l=bugtraq&m=141577350823734&w=2
http://marc.info/?l=bugtraq&m=141620103726640&w=2
http://marc.info/?l=bugtraq&m=141628688425177&w=2
http://marc.info/?l=bugtraq&m=141694355519663&w=2
http://marc.info/?l=bugtraq&m=141697638231025&w=2
http://marc.info/?l=bugtraq&m=141697676231104&w=2
http://marc.info/?l=bugtraq&m=141703183219781&w=2
http://marc.info/?l=bugtraq&m=141715130023061&w=2
http://marc.info/?l=bugtraq&m=141775427104070&w=2
http://marc.info/?l=bugtraq&m=141813976718456&w=2
http://marc.info/?l=bugtraq&m=141814011518700&w=2
http://marc.info/?l=bugtraq&m=141879378918327&w=2
http://marc.info/?l=bugtraq&m=142103967620673&w=2
http://marc.info/?l=bugtraq&m=142118135300698&w=2
http://marc.info/?l=bugtraq&m=142296755107581&w=2
http://marc.info/?l=bugtraq&m=142350196615714&w=2
http://marc.info/?l=bugtraq&m=142350298616097&w=2
http://marc.info/?l=bugtraq&m=142350743917559&w=2
http://marc.info/?l=bugtraq&m=142354438527235&w=2
http://marc.info/?l=bugtraq&m=142357976805598&w=2
http://marc.info/?l=bugtraq&m=142495837901899&w=2
http://marc.info/?l=bugtraq&m=142496355704097&w=2
http://marc.info/?l=bugtraq&m=142546741516006&w=2
http://marc.info/?l=bugtraq&m=142607790919348&w=2
http://marc.info/?l=bugtraq&m=142624590206005&w=2
http://marc.info/?l=bugtraq&m=142624619906067
http://marc.info/?l=bugtraq&m=142624619906067&w=2
http://marc.info/?l=bugtraq&m=142624679706236&w=2
http://marc.info/?l=bugtraq&m=142624719706349&w=2
http://marc.info/?l=bugtraq&m=142660345230545&w=2
http://marc.info/?l=bugtraq&m=142721830231196&w=2
http://marc.info/?l=bugtraq&m=142721887231400&w=2
http://marc.info/?l=bugtraq&m=142740155824959&w=2
http://marc.info/?l=bugtraq&m=142791032306609&w=2
http://marc.info/?l=bugtraq&m=142804214608580&w=2
http://marc.info/?l=bugtraq&m=142805027510172&w=2
http://marc.info/?l=bugtraq&m=142962817202793&w=2
http://marc.info/?l=bugtraq&m=143039249603103&w=2
http://marc.info/?l=bugtraq&m=143101048219218&w=2
http://marc.info/?l=bugtraq&m=143290371927178&w=2
http://marc.info/?l=bugtraq&m=143290437727362&w=2
http://marc.info/?l=bugtraq&m=143290522027658&w=2
http://marc.info/?l=bugtraq&m=143290583027876&w=2
http://marc.info/?l=bugtraq&m=143558137709884&w=2
http://marc.info/?l=bugtraq&m=143558192010071&w=2
http://marc.info/?l=bugtraq&m=143628269912142&w=2
http://marc.info/?l=bugtraq&m=144101915224472&w=2
http://marc.info/?l=bugtraq&m=144251162130364&w=2
http://marc.info/?l=bugtraq&m=144294141001552&w=2
http://marc.info/?l=bugtraq&m=145983526810210&w=2
http://marc.info/?l=openssl-dev&m=141333049205629&w=2
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3566.html
http://rhn.redhat.com/errata/RHSA-2014-1652.html
http://rhn.redhat.com/errata/RHSA-2014-1653.html
http://rhn.redhat.com/errata/RHSA-2014-1692.html
http://rhn.redhat.com/errata/RHSA-2014-1876.html
http://rhn.redhat.com/errata/RHSA-2014-1877.html
http://rhn.redhat.com/errata/RHSA-2014-1880.html
http://rhn.redhat.com/errata/RHSA-2014-1881.html
http://rhn.redhat.com/errata/RHSA-2014-1882.html
http://rhn.redhat.com/errata/RHSA-2014-1920.html
http://rhn.redhat.com/errata/RHSA-2014-1948.html
http://rhn.redhat.com/errata/RHSA-2015-0068.html
http://rhn.redhat.com/errata/RHSA-2015-0079.html
http://rhn.redhat.com/errata/RHSA-2015-0080.html
http://rhn.redhat.com/errata/RHSA-2015-0085.html
http://rhn.redhat.com/errata/RHSA-2015-0086.html
http://rhn.redhat.com/errata/RHSA-2015-0264.html
http://rhn.redhat.com/errata/RHSA-2015-0698.html
http://rhn.redhat.com/errata/RHSA-2015-1545.html
http://rhn.redhat.com/errata/RHSA-2015-1546.html
http://support.apple.com/HT204244
http://support.citrix.com/article/CTX200238
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021431
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021439
http://www-01.ibm.com/support/docview.wss?uid=swg21686997
http://www-01.ibm.com/support/docview.wss?uid=swg21687172
http://www-01.ibm.com/support/docview.wss?uid=swg21687611
http://www-01.ibm.com/support/docview.wss?uid=swg21688283
http://www-01.ibm.com/support/docview.wss?uid=swg21692299
http://www.debian.org/security/2014/dsa-3053
http://www.debian.org/security/2015/dsa-3144
http://www.debian.org/security/2015/dsa-3147
http://www.debian.org/security/2015/dsa-3253
http://www.debian.org/security/2016/dsa-3489
http://www.kb.cert.org/vuls/id/577193
http://www.mandriva.com/security/advisories?name=MDVSA-2014:203
http://www.mandriva.com/security/advisories?name=MDVSA-2015:062
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.securityfocus.com/archive/1/533746
http://www.securityfocus.com/archive/1/533747
http://www.securityfocus.com/archive/1/archive/1/533724/100/0/threaded
http://www.securityfocus.com/bid/70574
http://www.securitytracker.com/id/1031029
http://www.securitytracker.com/id/1031039
http://www.securitytracker.com/id/1031085
http://www.securitytracker.com/id/1031086
http://www.securitytracker.com/id/1031087
http://www.securitytracker.com/id/1031088
http://www.securitytracker.com/id/1031089
http://www.securitytracker.com/id/1031090
http://www.securitytracker.com/id/1031091
http://www.securitytracker.com/id/1031092
http://www.securitytracker.com/id/1031093
http://www.securitytracker.com/id/1031094
http://www.securitytracker.com/id/1031095
http://www.securitytracker.com/id/1031096
http://www.securitytracker.com/id/1031105
http://www.securitytracker.com/id/1031106
http://www.securitytracker.com/id/1031107
http://www.securitytracker.com/id/1031120
http://www.securitytracker.com/id/1031123
http://www.securitytracker.com/id/1031124
http://www.securitytracker.com/id/1031130
http://www.securitytracker.com/id/1031131
http://www.securitytracker.com/id/1031132
http://www.ubuntu.com/usn/USN-2486-1
http://www.ubuntu.com/usn/USN-2487-1
http://www.us-cert.gov/ncas/alerts/TA14-290A
http://www.vmware.com/security/advisories/VMSA-2015-0003.html
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0
http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-405500.htm
https://access.redhat.com/articles/1232123
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6
https://bto.bluecoat.com/security-advisory/sa83
https://bugzilla.mozilla.org/show_bug.cgi?id=1076983
https://bugzilla.redhat.com/show_bug.cgi?id=1152789
https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
https://github.com/mpgn/poodle-PoC
https://groups.google.com/forum/#!topic/docker-user/oYm0i3xShJU
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04819635
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05068681
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05301946
https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
https://kc.mcafee.com/corporate/index?page=content&id=SB10090
https://kc.mcafee.com/corporate/index?page=content&id=SB10091
https://kc.mcafee.com/corporate/index?page=content&id=SB10104
https://puppet.com/security/cve/poodle-sslv3-vulnerability
https://security.gentoo.org/glsa/201507-14
https://security.gentoo.org/glsa/201606-11
https://security.netapp.com/advisory/ntap-20141015-0001/
https://support.apple.com/HT205217
https://support.apple.com/kb/HT6527
https://support.apple.com/kb/HT6529
https://support.apple.com/kb/HT6531
https://support.apple.com/kb/HT6535
https://support.apple.com/kb/HT6536
https://support.apple.com/kb/HT6541
https://support.apple.com/kb/HT6542
https://support.citrix.com/article/CTX216642
https://support.lenovo.com/product_security/poodle
https://support.lenovo.com/us/en/product_security/poodle
https://technet.microsoft.com/library/security/3009008.aspx
https://www-01.ibm.com/support/docview.wss?uid=swg21688165
https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html
https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html
https://www.elastic.co/blog/logstash-1-4-3-released
https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://www.openssl.org/news/secadv_20141015.txt
https://www.suse.com/support/kb/doc.php?id=7015773

Related CVE
CVE-2018-12438
The Elliptic Curve Cryptography library (aka sunec or libsunec) allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the loc...
CVE-2018-12437
LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual mac...
CVE-2018-12433
** DISPUTED ** cryptlib through 3.4.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different...
CVE-2018-0732
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime result...
CVE-2018-0737
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixe...
CVE-2018-0739
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used w...
CVE-2018-0733
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of t...
CVE-2017-3738
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult...

Copyright 2018, cxsecurity.com

 

Back to Top