CVE-2014-3566

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 1.0.1i OpenSSL through 1.0.1i PAN-OS versions 6.1.1 and earlier PAN-OS versions 6.0.7 and earlier PAN-OS versions 5.1.x and 5.0.x EOS versions 4.12.0 through 4.12.7.1 EOS versions 4.13.0 through 4.13.6 Apple mac os x (affected versions not specified) Debian debian linux (affected versions not specified) Fedoraproject fedora (affected versions not specified) IBM aix (affected versions not specified) IBM vios (affected versions not specified) Mageia (affected versions not specified) Netbsd (affected versions not specified) Novell suse linux enterprise desktop (affected versions not specified) Novell suse linux enterprise server (affected versions not specified) Novell suse linux enterprise software development kit (affected versions not specified) OpenSUSE (affected versions not specified) Oracle database (affected versions not specified) Redhat enterprise linux (affected versions not specified) Redhat enterprise linux desktop (affected versions not specified) Redhat enterprise linux desktop supplementary (affected versions not specified) Redhat enterprise linux server (affected versions not specified) Redhat enterprise linux server supplementary (affected versions not specified) Redhat enterprise linux workstation (affected versions not specified) Redhat enterprise linux workstation supplementary (affected versions not specified) Check Point GAiA (affected versions not specified) HPE iLO (affected versions not specified) Huawei products (affected versions not specified) Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25

Description The SSL protocol 3.0 uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, also known as the "POODLE" issue. This allows an attacker to decrypt some encrypted contents under certain conditions. The conditions of successful exploitation are somewhat similar to the BEAST attack, which requires several conditions to be met for successful exploitation, including a man-in-the-middle position in the network and the ability to direct the victim client to send many repeated requests to the vulnerable server on behalf of the attacker. Due to the conditions required of a successful attack scenario, the risk of exploitation is not particularly high.

Recommendations For OpenSSL versions prior to 1.0.1i, update to a version newer than 1.0.1i to mitigate the risk. For PAN-OS versions 6.1.1 and earlier, update to a version newer than 6.1.1 to mitigate the risk. For PAN-OS versions 6.0.7 and earlier, update to a version newer than 6.0.7 to mitigate the risk. For PAN-OS versions 5.1.x and 5.0.x, update to a version newer than 5.1.x and 5.0.x to mitigate the risk. For EOS versions 4.12.0 through 4.12.7.1, update to a version newer than 4.12.7.1 to mitigate the risk. For EOS versions 4.13.0 through 4.13.6, update to a version newer than 4.13.6 to mitigate the risk. For other affected products, update to a version that includes a fix for the POODLE issue. As a temporary workaround, consider disabling the use of SSLv3 protocol until a patch is available. Restrict access to the vulnerable server to minimize the risk of exploitation. Avoid using the SSLv3 protocol in the affected API endpoints until the issue is resolved.