(Red Hat Issues Fix for Node.js) OpenSSL SSL 3.0 Protocol Downgrade Flaw Lets Remote Users Decrypt SSL Traffic
SecurityTracker Alert ID: 1033182|
SecurityTracker URL: http://securitytracker.com/id/1033182
(Links to External Site)
Date: Aug 5 2015
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
A vulnerability was reported in OpenSSL. A remote user can decrypt SSL sessions in certain cases. Node.js on Red Hat Enterprise Linux is affected.|
A remote user can with the ability to conduct a man-in-the-middle attack can force a client to negotiate a downgrade to SSLv3 instead of a TLS v1.x protocol and then conduct a BEAST-style of attack to decrypt portions of the session.
This protocol vulnerability is referred to as the POODLE ("Padding Oracle On Downgraded Legacy Encryption") vulnerability.
This is a flaw in the protocol rather than in the OpenSSL implementation.
The original advisory is available at:
Bodo Moller, Thai Duong, and Krzysztof Kotowicz reported this vulnerability.
A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL sessions.|
Red Hat has issued a fix for Node.js.|
The Red Hat advisories are available at:
Vendor URL: rhn.redhat.com/errata/RHSA-2015-1545.html (Links to External Site)
Access control error|
|Underlying OS: Linux (Red Hat Enterprise)|
|Underlying OS Comments: 6|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [RHSA-2015:1545-01] Important: node.js security update|
-----BEGIN PGP SIGNED MESSAGE-----
Red Hat Security Advisory
Synopsis: Important: node.js security update
Advisory ID: RHSA-2015:1545-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1545.html
Issue date: 2015-08-04
CVE Names: CVE-2014-3566
Updated node.js packages that fix one security issue are now available for
Red Hat OpenShift Enterprise 2.1.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
2. Relevant releases/architectures:
RHOSE Node 2.1 - noarch
OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
Node.js is a software development platform for building fast and scalable
A flaw was found in the way SSL 3.0 handled padding bytes when decrypting
messages encrypted using block ciphers in cipher block chaining (CBC) mode.
This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected
byte of a cipher text in as few as 256 tries if they are able to force a
victim application to repeatedly send the same data over newly created SSL
3.0 connections. (CVE-2014-3566)
All OpenShift Enterprise users are advised to upgrade to these updated
packages, which correct this issue.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
5. Bugs fixed (https://bugzilla.redhat.com/):
1152789 - CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
6. Package List:
RHOSE Node 2.1:
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
The Red Hat security contact is <email@example.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Enterprise-watch-list mailing list