CVE-2014-3566#
CVE-2014-3566: POODLE: SSLv3 vulnerability#
Summary#
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.
POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It does not affect the newer encryption mechansim known as Transport Layer Security (TLS).
Affected Versions#
All 1.x, 2.x, 3.x, 4.0 and 4.1.
Impact#
Low
Manual Instructions#
Disable SSLv3 in mod_nss.
Edit /etc/httpd/conf.d/nss.conf
and set NSSProtocol
to
TLSv1.0
and TLSv1.1
.
NSSProtocol TLSv1.0,TLSv1.1
Restart the httpd service
# service httpd restart
NOTE: mod_nss only added support for TLSv1.2 in mid-October 2014 and most distributions miss it. If your distribution includes mod_nss with TLSv1.2 support, please use
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
Versions of TLS supported by IPA#
IPA client code only supports SSLv3 and TLS v1.0 at this time.
TLSv1.1 can be enabled in mod_nss but it will not be used by the IPA command-line tools. This is being tracked in BZ 1154776
More Information#
For more information see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 and https://access.redhat.com/articles/1232123