WHAT
IS THIS CVE ABOUT?
POODLE stands for
Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a
man-in-the-middle attacker to decrypt ciphertext using a padding oracle
side-channel attack. More details are available in the upstream OpenSSL
advisory.
POODLE affects older
standards of encryption, specifically Secure Socket Layer (SSL) version 3. It
does not affect the newer encryption mechansim known as Transport Layer
Security (TLS).
AM
I AFFECTED?
This CVE is not Operating System centric,
you will need to check on your application whether it was running in Linux or
Windows platform.
Test
online
Test
offline
Save this file under a linux server, and
run the test as below:
|
# example of a server
that is not vulnerable
$ bash poodle.sh foobar.example.com 443
foobar.example.com:443 - Not vulnerable. Failed to establish SSLv3
connection.
# example of a server
that is vulnerable
$ bash poodle.sh foobar.example.com 443
foobar.example.com:443 - Vulnerable! SSLv3 connection established using
SSLv3/$CIPHER
|
CONSIDERATION
For non HTTPs clients:
Disabling SSLv3 in favor of at least a TLS
connection is recommended. However in disabling SSL it is important to
understand that certain applications that do not support TLS could default to
plain-text transmission which would be worse from a security perspective than
the vulnerable SSL protocol. Before disabling SSL on services, please carefully
consider these measures.
HOW
TO FIX?
Please identify your affected application
(that runs SSL), and follow the general guidelines here for the fix
ANY
DOWNTIME NEEDED?
Depends on your application, normally an
application restart is needed.
No comments:
Post a Comment