Poodle variant\TLS vulnerability and its impact on eDirectory and iManager (CVE-2014-8730)

  • 7015987
  • 11-Dec-2014
  • 11-Dec-2014

Environment

NetIQ eDirectory 8.8 SP8
Novell eDirectory 8.8 SP7
NetIQ iManager 2.7 SP7

Situation

The original Poodle vulnerability (CVE-2014-3566) involved SSLv3's inability to properly check the padding bytes after decryption.  This led to these bytes not being considered while checking the integrety of a message. 
 
A new announcement came that there was a Poodle variant repurposed to attack TLS (CVE-2014-8730).

Resolution

eDirectory Engineering has determined neither eDirectory nor iManager are affected by this vulnerability.
 
This vulnerability is not in the TLS protocol itself but in how it is implemented.  eDirectory utilizes NTLS (properly branched from OpenSSL) and JSSE in iManager for accessing the TLS protocol.  Neither of these are affected as TLS is very strict about the padding structure.
 
However, there are some vendors that have implemented TLS without the required padding byte check, thus leading to this issue.  It appears to be primarily F4 switch vendors, specifically F5.  Due to the popularity of these switches the number of web sites exposed is significant (10%).
 

Additional Information

For more information on the original SSLv3 Poodle Vulnerability in regards to eDirectory please see KB 7015785.
For more information on the original SSLv3 Poodle Vulnerability in regards to iManager please see KB 7015788.