CVE-2014-3566

Published: 14 October 2014

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Priority

Medium

CVSS 3 base score: 3.4

Status

Package Release Status
nss
Launchpad, Ubuntu, Debian
Upstream
Released (3.17.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(2:3.17.1-0ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(2:3.17.1-0ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(2:3.17.1-0ubuntu0.14.04.1)
Patches:
Upstream: https://hg.mozilla.org/projects/nss/rev/45cb71fd7bca
openjdk-6
Launchpad, Ubuntu, Debian
Upstream Ignored
(reached end-of-life)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [6b34-1.13.6-1ubuntu0.14.04.1])
openjdk-7
Launchpad, Ubuntu, Debian
Upstream
Released (7u73)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [7u75-2.5.4-1~trusty1])
openssl
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.0.1f-1ubuntu9)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.0.1f-1ubuntu9)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.0.1f-1ubuntu2.7)
Patches:
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c6a876473cbff0fd323c8abcaace98ee2d21863d (0.9.8)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=dc5dfe431cffbc1fa8eeead0853bd03395e52e71 (0.9.8)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=3f4d81e88b6f3cce83eae0448cc6542e3e251854 (0.9.8)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=d2866063015d839569c2323cae85d1d27ccdb484 (0.9.8)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6bfe55380abbf7528e04e59f18921bd6c896af1c (1.0.1)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7d07c75c5b97a31edfdec8076bd720166fdde789 (1.0.1)
Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=80fb4820cb1c849348b5246330b35ed4f51af562 (missing from 1.0.1)
openssl098
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
pound
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(2.6-6.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)

Notes

AuthorNote
mdeslaur
We recommend disabling SSLv3 on servers, if possible.

Community-provided information on disabling SSLv3 can be found
here:

http://askubuntu.com/a/537196

SANS provided information on disabling SSLv3 can be found here:
https://isc.sans.edu/forums/diary/POODLE+Turning+off+SSLv3+for+various+servers+and+client+/18837

References

Bugs