CVE-2014-3566 — POODLE: Failing Open in SSL 3.0

CWE-310 CWE-636 — Failing Open CWE-757 — Algorithm Downgrade CWE-327 — Use of a Broken or Risky Cryptographic Algorithm CWE-200 — Sensitive Information Exposure26 documents15 sources

Severity

3.4LOWNVD

EPSS

94.0%

top 0.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apsis Pound Lighttpd Mozilla NSS +22 more

Timeline

PublishedOct 15

Latest updateMay 17

Description

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages21 packages

▶NVDoracle/database11.2.0.4, 12.1.0.2+1

▶Debianopenssl/openssl< 1.0.1j-1+3

▶NVDopenssl/openssl54 versions+53

▶Debianapsis/pound< 2.6-6+2

▶Debianmozilla/nss< 2:3.17.1-1+3

Also affects: Netbsd 5.1, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.2, 5.2.1, 5.2.2, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, Debian Linux 7.0, 8.0, Fedora 19, 20, 21, Enterprise Linux 5, 5.0, 6.0, 7.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-r82h-wc4x-gcp9: The SSL protocol 3↗2022-05-17

▶

OSV

openjdk-7 vulnerabilities↗2015-01-28

▶

OSV

CVE-2014-3566: The SSL protocol 3↗2014-10-15

▶

CVEList

CVE-2014-3566: The SSL protocol 3↗2014-10-15

▶

📋Vendor Advisories

Citrix

CVE-2015-3642: The TLS and DTLS processing functionality in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway devices with firmware 9.x be↗2017-08-02

▶

Ubuntu

OpenJDK 7 vulnerabilities↗2015-01-28

▶

Ubuntu

OpenJDK 6 vulnerabilities↗2015-01-27

▶

Red Hat

TLS: incorrect check of padding bytes when using CBC cipher suites↗2014-12-09

▶

BSD

FreeBSD-SA-14:23.openssl: OpenSSL multiple vulnerabilities↗2014-10-21

▶

💬Community

HackerOne

SSLv3 Poodle Attack on Ip Of semrush↗2018-03-13

▶

HackerOne

POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204)↗2018-02-22

▶

Bugzilla

CVE-2014-3566 asterisk: openssl: Padding Oracle On Downgraded Legacy Encryption attack [fedora-all]↗2014-11-05

▶

Bugzilla

CVE-2014-3566 asterisk: openssl: Padding Oracle On Downgraded Legacy Encryption attack [epel-6]↗2014-11-05

▶

Bugzilla

CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack↗2014-10-15

▶