Ask the Community
Groups
CVE-2014-3566: SSL Poodle Vulnerability - Connect IT Community | Kaseya
<main> <article class="userContent"> <h3 data-id="cve-id"><strong>CVE ID</strong></h3> <p>CVE-2014-3566</p> <h3 data-id="description"><strong>DESCRIPTION</strong></h3> <p></p> <p>The Padding Oracle On Downgraded Legacy Encryption (POODLE) vulnerability allows a man-in-the-middle attacker to decrypt ciphertext with SSL 3.0 CBC mode padding bytes.<br><br>Exploiting this vulnerability is not easily accomplished. Man-in-the-middle attacks require large amounts of time and resources. While likelihood is low, Red Hat recommends implementing only TLS to avoid flaws in SSL. Disabling SSLv3 in favor of at least a TLS connection is recommended.</p> <h3 data-id="red-hat-statement">Red Hat statement</h3> <p>All implementations of SSLv3 are affected. Red Hat Enterprise Linux and other Red Hat products include libraries which enable the use of SSLv3. This vulnerability does not affect the newer encryption mechansim known as Transport Socket Layer (TLS).<br><br>To mitigate this vulnerability, you should disable SSLv3 in all affected packages.</p> <h3 data-id="unitrends-statement">Unitrends statement</h3> <p>Risk to Unitrends systems: Low<br><br>The attacker has to interject himself as a man-in-the-middle which is difficult and time consuming. He would also need to understand the protocols we use to backup or replicate to intercept any critical data. OpenVPN 2.x also does not support SSLv3.</p> <h3 data-id="resolution"><strong>RESOLUTION</strong></h3> <p></p> <p>Unitrends disables SSLv3 for web access in /etc/httpd/conf.d/ssl.conf with release 8.0.0-2 and later.</p> <h3 data-id="link-to-advisories"><strong>LINK TO ADVISORIES</strong></h3> <p></p> <ul><li><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Faccess.redhat.com%2Farticles%2F1232123%250D%250Ahttps%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2FCVE-2014-3566%250D%250Ahttps%3A%2F%2Fbugzilla.redhat.com%2Fshow_bug.cgi%3Fid%3D1152789">https://access.redhat.com/articles/1232123 https://access.redhat.com/security/cve/CVE-2014-3566 https://bugzilla.redhat.com/show_bug.cgi?id=1152789</a></li></ul> </article> </main>