Environment
NetIQ eDirectory 8.8 SP8
Novell eDirectory 8.8 SP7
Novell eDirectory 8.8 SP7
NetIQ iManager 2.7 SP7
Situation
The original Poodle vulnerability (CVE-2014-3566) involved SSLv3's inability to properly check the padding bytes after decryption. This led to these bytes not being considered while checking the integrety of a message.
A new announcement came that there was a Poodle variant repurposed to attack TLS (CVE-2014-8730).
Resolution
eDirectory Engineering has determined neither eDirectory nor iManager are affected by this vulnerability.
This vulnerability is not in the TLS protocol itself but in how it is implemented. eDirectory utilizes NTLS (properly branched from OpenSSL) and JSSE in iManager for accessing the TLS protocol. Neither of these are affected as TLS is very strict about the padding structure.
However, there are some vendors that have implemented TLS without the required padding byte check, thus leading to this issue. It appears to be primarily F4 switch vendors, specifically F5. Due to the popularity of these switches the number of web sites exposed is significant (10%).
Additional Information
For more information on the original SSLv3 Poodle Vulnerability in regards to eDirectory please see KB 7015785.
For more information on the original SSLv3 Poodle Vulnerability in regards to iManager please see KB 7015788.