CVE-2014-3566: SSL Poodle Vulnerability

CVE ID

CVE-2014-3566

DESCRIPTION

The Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability allows a man-in-the-middle attacker to decrypt ciphertext with SSL 3.0 CBC mode padding bytes.

Exploiting this vulnerability is not easily accomplished. Man-in-the-middle attacks require large amounts of time and resources. While likelihood is low, Red Hat recommends implementing only TLS to avoid flaws in SSL. Disabling SSLv3 in favor of at least a TLS connection is recommended.

Red Hat statement

All implementations of SSLv3 are affected. Red Hat Enterprise Linux and other Red Hat products include libraries which enable the use of SSLv3. This vulnerability does not affect the newer encryption mechansim known as Transport Socket Layer (TLS).

To mitigate this vulnerability, you should disable SSLv3 in all affected packages.

Unitrends statement

Risk to Unitrends systems: Low

The attacker has to interject himself as a man-in-the-middle which is difficult and time consuming. He would also need to understand the protocols we use to backup or replicate to intercept any critical data. OpenVPN 2.x also does not support SSLv3.

RESOLUTION

Unitrends disables SSLv3 for web access in /etc/httpd/conf.d/ssl.conf with release 8.0.0-2 and later.

LINK TO ADVISORIES

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us