CVE-2014-3566

high-risk

Published 2014-10-15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Do I need to act?

94.0% chance of exploitation in next 30 days

EPSS score — higher than 6% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.4/10 Low

NETWORK / HIGH complexity

Affected Products (20)

Enterprise Linux Desktop

Enterprise Linux Desktop Supplementary

Enterprise Linux Server

Enterprise Linux Server Supplementary

Enterprise Linux Workstation

Enterprise Linux Workstation Supplementary

Aix

Mac Os X

Suse Linux Enterprise Desktop

Suse Linux Enterprise Software Development Kit

Suse Linux Enterprise Server

Opensuse

Affected Vendors

Apple Opensuse Oracle Debian Netbsd Mageia Novell Redhat Openssl Ibm Fedoraproject

References (487)

Third Party Advisory ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc

Third Party Advisory http://advisories.mageia.org/MGASA-2014-0416.html

Third Party Advisory http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.asc

Third Party Advisory http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html

Third Party Advisory http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html

Third Party Advisory http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vul...

Third Party Advisory http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html

Third Party Advisory http://blog.nodejs.org/2014/10/23/node-v0-10-33-stable/

Third Party Advisory http://blogs.technet.com/b/msrc/archive/2014/10/14/security-advisory-3009008-rel...

Third Party Advisory http://docs.ipswitch.com/MOVEit/DMZ82/ReleaseNotes/MOVEitReleaseNotes82.pdf

Third Party Advisory http://downloads.asterisk.org/pub/security/AST-2014-011.html

Third Party Advisory http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ss...

Third Party Advisory http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04583581

Third Party Advisory http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034

Third Party Advisory http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

Mailing List http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html

Mailing List http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html

Third Party Advisory http://lists.fedoraproject.org/pipermail/package-announce/2014-November/142330.h...

Third Party Advisory http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141114.ht...

Third Party Advisory http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141158.ht...

and 467 more references

/ 100

high-risk

Severity 12/34 · Low

Exploitability 20/34 · Moderate

Exposure 32/34 · Critical