CVE-2014-3566
LOW severity · CVSS 3.4 · CWE-310
3.4CVSS LOW
Summary
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Impact & exploitability
Attack vectorNetwork
Attack complexityHigh
Privileges requiredNone
User interactionRequired
Confidentiality impactLow
Integrity impactNone
Availability impactNone
Exploit probability (EPSS)94%
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
Affected products we track (3)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.ascAdvisory
- http://advisories.mageia.org/MGASA-2014-0416.htmlAdvisory
- http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.ascAdvisory
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.htmlAdvisory
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.htmlAdvisory
- http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566Advisory
- http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.htmlAdvisory
- http://blog.nodejs.org/2014/10/23/node-v0-10-33-stable/Advisory