CVE-2014-3566#

CVE-2014-3566: POODLE: SSLv3 vulnerability#

Summary#

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It does not affect the newer encryption mechansim known as Transport Layer Security (TLS).

Affected Versions#

All 1.x, 2.x, 3.x, 4.0 and 4.1.

Impact#

Low

Manual Instructions#

Disable SSLv3 in mod_nss.

Edit /etc/httpd/conf.d/nss.conf and set NSSProtocol to TLSv1.0 and TLSv1.1.

NSSProtocol TLSv1.0,TLSv1.1

Restart the httpd service

# service httpd restart

NOTE: mod_nss only added support for TLSv1.2 in mid-October 2014 and most distributions miss it. If your distribution includes mod_nss with TLSv1.2 support, please use

NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

Versions of TLS supported by IPA#

IPA client code only supports SSLv3 and TLS v1.0 at this time.

TLSv1.1 can be enabled in mod_nss but it will not be used by the IPA command-line tools. This is being tracked in BZ 1154776

More Information#

For more information see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 and https://access.redhat.com/articles/1232123