CVE-2014-3566
Published: 14 October 2014
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Notes
Author | Note |
---|---|
mdeslaur | We recommend disabling SSLv3 on servers, if possible. Community-provided information on disabling SSLv3 can be found here: http://askubuntu.com/a/537196 SANS provided information on disabling SSLv3 can be found here: https://isc.sans.edu/forums/diary/POODLE+Turning+off+SSLv3+for+various+servers+and+client+/18837 |
Priority
Status
Package | Release | Status |
---|---|---|
openssl Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
artful |
Released
(1.0.1f-1ubuntu9)
|
|
bionic |
Released
(1.0.1f-1ubuntu9)
|
|
cosmic |
Released
(1.0.1f-1ubuntu9)
|
|
disco |
Released
(1.0.1f-1ubuntu9)
|
|
focal |
Released
(1.0.1f-1ubuntu9)
|
|
jammy |
Released
(1.0.1f-1ubuntu9)
|
|
kinetic |
Released
(1.0.1f-1ubuntu9)
|
|
lucid |
Released
(0.9.8k-7ubuntu8.22)
|
|
lunar |
Released
(1.0.1f-1ubuntu9)
|
|
precise |
Released
(1.0.1-4ubuntu5.20)
|
|
trusty |
Released
(1.0.1f-1ubuntu2.7)
|
|
utopic |
Released
(1.0.1f-1ubuntu9)
|
|
vivid |
Released
(1.0.1f-1ubuntu9)
|
|
wily |
Released
(1.0.1f-1ubuntu9)
|
|
xenial |
Released
(1.0.1f-1ubuntu9)
|
|
yakkety |
Released
(1.0.1f-1ubuntu9)
|
|
zesty |
Released
(1.0.1f-1ubuntu9)
|
|
mantic |
Released
(1.0.1f-1ubuntu9)
|
|
Patches: upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c6a876473cbff0fd323c8abcaace98ee2d21863d upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=dc5dfe431cffbc1fa8eeead0853bd03395e52e71 upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=3f4d81e88b6f3cce83eae0448cc6542e3e251854 upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=d2866063015d839569c2323cae85d1d27ccdb484 upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6bfe55380abbf7528e04e59f18921bd6c896af1c upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7d07c75c5b97a31edfdec8076bd720166fdde789 upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=80fb4820cb1c849348b5246330b35ed4f51af562 |
||
nss Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
bionic |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
cosmic |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
disco |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
lucid |
Not vulnerable
(3.17.1-0ubuntu0.10.04.1)
|
|
precise |
Not vulnerable
(3.17.1-0ubuntu0.12.04.1)
|
|
trusty |
Not vulnerable
(2:3.17.1-0ubuntu0.14.04.1)
|
|
upstream |
Released
(3.17.1)
|
|
focal |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
jammy |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
kinetic |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
lunar |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
utopic |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
vivid |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
wily |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
xenial |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
yakkety |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
zesty |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
mantic |
Not vulnerable
(2:3.17.1-0ubuntu1)
|
|
Patches: upstream: https://hg.mozilla.org/projects/nss/rev/45cb71fd7bca |
||
openjdk-6 Launchpad, Ubuntu, Debian |
vivid |
Not vulnerable
(6b34-1.13.6-1ubuntu1)
|
precise |
Released
(6b34-1.13.6-1ubuntu0.12.04.1)
|
|
trusty |
Released
(6b34-1.13.6-1ubuntu0.14.04.1)
|
|
artful |
Does not exist
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lucid |
Released
(6b34-1.13.6-1ubuntu0.10.04.1)
|
|
lunar |
Does not exist
|
|
upstream |
Ignored
(end of life)
|
|
utopic |
Released
(6b34-1.13.6-1ubuntu0.14.10.1)
|
|
wily |
Not vulnerable
(6b34-1.13.6-1ubuntu1)
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
mantic |
Does not exist
|
|
pound Launchpad, Ubuntu, Debian |
trusty |
Needed
|
artful |
Not vulnerable
(2.6-6.1)
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
focal |
Not vulnerable
(2.6-6.1)
|
|
jammy |
Not vulnerable
(2.6-6.1)
|
|
kinetic |
Not vulnerable
(2.6-6.1)
|
|
lucid |
Does not exist
|
|
lunar |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
upstream |
Needs triage
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Released
(2.6-6+deb8u1build0.15.04.1)
|
|
wily |
Not vulnerable
(2.6-6.1)
|
|
xenial |
Not vulnerable
(2.6-6.1)
|
|
yakkety |
Not vulnerable
(2.6-6.1)
|
|
zesty |
Not vulnerable
(2.6-6.1)
|
|
mantic |
Does not exist
|
|
openjdk-7 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lucid |
Does not exist
|
|
lunar |
Does not exist
|
|
precise |
Released
(7u75-2.5.4-1~precise1)
|
|
trusty |
Released
(7u75-2.5.4-1~trusty1)
|
|
upstream |
Released
(7u73)
|
|
utopic |
Released
(7u75-2.5.4-1~utopic1)
|
|
vivid |
Not vulnerable
(7u75-2.5.4-1)
|
|
wily |
Not vulnerable
(7u75-2.5.4-1)
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
mantic |
Does not exist
|
|
openssl098 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lucid |
Does not exist
|
|
lunar |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needs triage
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
mantic |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 3.4 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
- https://www.openssl.org/~bodo/ssl-poodle.pdf
- https://www.imperialviolet.org/2014/10/14/poodle.html
- http://marc.info/?l=openssl-dev&m=141333049205629&w=2
- https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
- https://www.openssl.org/news/secadv_20141015.txt
- http://askubuntu.com/a/537196
- https://ubuntu.com/security/notices/USN-2486-1
- https://ubuntu.com/security/notices/USN-2487-1
- NVD
- Launchpad
- Debian