SSLv3 Fallback Protection âPOODLEâ vulnerability (CVE-2014-3566)
Version: OpenSSL 1.0.1, 1.0.0, 0.9.8
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt cipher text using a padding oracle side-channel attack.
OpenSSL Description: "Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE."
All products using OpenSSL version 1.0.1, 1.0.0, 0.9.8 are impacted.
Our immediate recommendation is to disable SSLv3 for impacted products. In current supported products that do not allow disablement of SSL, patches will be provided.
Status/Patching specifics by Product:
Novell iPrint Appliance - TID 7015854 - Novell iPrint Announcement: CVE-2014-3566 'POODLE' weakness in the SSL protocol
Novell Open Enterprise Server: TID 7015793 - The Poodle SSLv3 vulnerability and its impact on Novell Open Enterprise Server
Novell GroupWise: TID 7015816 - Novell GroupWise and the Poodle SSLv3 Vulnerability
Novell GroupWise Mobility Service and Data Synchronizer:TID 7015791 - Novell Data Synchronizer / GroupWise Mobile Service and Poodle SSLv3 Vulnerability
Novell Messenger: TID 7015817 - Novell Messenger and the Poodle SSLv3 Vulnerability
- NetIQ eDirectory and iManager: TID 7015785 - The Poodle SSLv3 vulnerability and its impact on eDirectory
- NetIQ Access Manager: TID 7015767 - HOWTO: disable SSL 3.0 to mitigate vulnerabilities caused by Poodle attack on that Protocol
- NetIQ Self Service Password Reset: TID 7015821 - The POODLE SSLv3 vulnerability and its impact on SSPR
- NetIQ Identity Manager: TID 7015788 The POODLE SSLv3 vulnerability and its impact on Identity Manager
- NetIQ Sentinel: SSL vulnerability CVE-2014-3566 'POODLE' on Sentinel
For SuSE Linux specifics, please see TID 7015773 - The POODLE weakness in the SSL protocol (CVE-2014-3566)