SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
SecurityTracker Alert ID:  1031029
SecurityTracker URL:  http://securitytracker.com/id/1031029
CVE Reference:   CVE-2014-3566   (Links to External Site)
Updated:  Oct 15 2014
Original Entry Date:  Oct 15 2014
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in OpenSSL. A remote user can decrypt SSL sessions in certain cases.

A remote user can with the ability to conduct a man-in-the-middle attack can force a client to negotiate a downgrade to SSLv3 instead of a TLS v1.x protocol and then conduct a BEAST-style of attack to decrypt portions of the session.

This protocol vulnerability is referred to as the POODLE ("Padding Oracle On Downgraded Legacy Encryption") vulnerability.

This is a flaw in the protocol rather than in the OpenSSL implementation.

The original advisory is available at:

https://www.openssl.org/~bodo/ssl-poodle.pdf

Bodo Moller, Thai Duong, and Krzysztof Kotowicz reported this vulnerability.

Impact:   A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL sessions.
Solution:   No solution was available at the time of this entry.

[Editor's note: The vendor has added support for TLS_FALLBACK_SCSV to allow applications to prevent a man-in-the-middle attack from forcing a protocol downgrade (0.9.8zc, 1.0.0o, 1.0.1j). This update does not correct any SSL 3.0 protocol weaknesses, but rather, prevents downgrade attacks. The vendor's advisory is available at: https://www.openssl.org/news/secadv_20141015.txt]

Vendor URL:  www.openssl.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 16 2014 (Red Hat Issues Fix) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Red Hat has issued a fix for Red Hat Enterprise Linux 5, 6, and 7.
Oct 17 2014 (Apple Issues Fix for OS X) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Apple has issued a fix for OS X and OS X Server.
Oct 21 2014 (Apple Issues Fix for Apple TV) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Apple has issued a fix for Apple TV.
Oct 21 2014 (Apple Issues Fix for iOS) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Apple has issued a fix for Apple iOS.
Oct 21 2014 (Splunk Issues Advisory for Splunk Enterprise) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Splunk has issued an advisory for Splunk Enterprise.
Oct 22 2014 (FreeBSD Issues Fix) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
FreeBSD has issued a fix for FreeBSD 8.4, 9.1, 9.2, 9.3, 10.0, and 10.1.
Oct 30 2014 (IBM Issues Fix for IBM AIX) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
IBM has issued a fix for IBM AIX 5.3, 6.1, and 7.1.
Oct 30 2014 (HP Issues Fix for HP-UX) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.
Nov 3 2014 (NetBSD Issues Fix) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, and 6.1.
Nov 24 2014 (HP Issues Fix for HP Project Portfolio Manager) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Project Portfolio Manager.
Dec 2 2014 (Red Hat Issues Fix for JBoss) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Red Hat has issued a fix for JBoss.
Dec 3 2014 (Mozilla Issues Fix for Network Security Services) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Red Hat has issued a fix for Mozilla Network Security Services (NSS) for Red Hat Enterprise Linux 5, 6, and 7.
Dec 19 2014 (Novell Issues Fix for Novell eDirectory) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Novell has issued a fix for Novell eDirectory.
Jan 21 2015 (Oracle Issues Fix for JRockit) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Oracle has issued a fix for Oracle JRockit.
Feb 27 2015 (VMware Issues Fix for VMware ESXi) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
VMware has issued a fix for VMware ESXi 5.0, 5.1, and 5.5.
Mar 25 2015 (HP Issues Fix for HP integrated Lights Out (iLO)) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP integrated Lights Out (iLO).
Apr 21 2015 (HP Issues Fix for HP Business Service Manager) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Business Service Manager.
Apr 21 2015 (HP Issues Fix for HP Operations Manager) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Operations Manager.
Apr 21 2015 (HP Issues Fix for HP Performance Manager) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Performance Manager.
Apr 21 2015 (HP Issues Fix for HP SiteScope) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP SiteScope.
May 7 2015 (HP Issues Fix for HP-UX Running sendmail) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31 running sendmail.
May 7 2015 (HP Issues Fix for HP Network Node Manager) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Network Node Manager i (NNMi).
May 7 2015 (HP Issues Fix for HP Network Automation) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Network Automation.
May 13 2015 (HP Issues Fix for HP Service Manager) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Service Manager.
May 29 2015 (HP Issues Fix for HP Insight Control) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Insight Control.
May 29 2015 (HP Issues Fix for HP Systems Insight Manager) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Systems Insight Manager.
May 29 2015 (HP Issues Fix for HP Insight Control) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Insight Control.
Jun 5 2015 (HP Issues Fix for HP VPN Firewall Module) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP VPN Firewall Module and HP VPN Firewall Appliance.
Jun 18 2015 (IBM Issues Fix for IBM AIX) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
IBM has issued a fix for IBM AIX 6.1 and 7.1.
Jun 30 2015 (HP Issues Fix for HP Printers) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP LaserJet Printers and Multi-Function Printers (MFPs) and HP OfficeJet Printers and MFPs.
Aug 5 2015 (Red Hat Issues Fix for Node.js) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Red Hat has issued a fix for Node.js for Red Hat Enterprise Linux 6.
Sep 17 2015 (Apple Issues Fix for Apple Xcode) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Apple has issued a fix for Apple Xcode.
Sep 18 2015 (HP Issues Fix for HP P6000 Command View) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP P6000 Command View.
Sep 22 2015 (HP Issues Fix for HP Universal Configuration Management Database) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Universal Configuration Management Database.
Oct 5 2015 (HP Issues Fix for HP P6000 Command View) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP P6000 Command View for HP-UX and Windows.
Oct 15 2015 (HP Issues Fix for HP Discovery & Dependency Mapping Inventory (DDMI)) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HP Discovery & Dependency Mapping Inventory (DDMI).
Apr 5 2016 (HPE Issues Fix for HPE OneView for VMware vCenter) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HPE has issued a fix for HPE OneView for VMware vCenter.
Jun 3 2016 (HP Issues Fix for HPE BladeSystem) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
HP has issued a fix for HPE BladeSystem.
Sep 15 2016 (Citrix Issues Fix for Citrix NetScaler) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Citrix has issued a fix for Citrix NetScaler.
Jul 18 2017 (Oracle Issues Fix for Oracle Database) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
Oracle has issued a fix for Oracle Database.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC