[openssl-users] CVE-2014- and OpenSSL?
Jeffrey Walton
noloader at gmail.com
Tue Dec 9 20:46:02 UTC 2014
On Tue, Dec 9, 2014 at 2:07 PM, Amarendra Godbole
<amarendra.godbole at gmail.com> wrote:
> So Adam Langley writes "SSLv3 decoding function was used with TLS,
> then the POODLE attack would work, even against TLS connections." on
> his the latest POODLE affecting TLS 1.x.
> (https://www.imperialviolet.org/).
>
> I also received a notification from Symantec's DeepSight, that states:
> "OpenSSL CVE-2014-8730 Man In The Middle Information Disclosure
> Vulnerability".
>
> However, I could not find more information on OpenSSL's web-site about
> POODLE-biting-again. Did I miss any notification? Thanks.
Here's some more reading:
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
There's nothing specific to OpenSSL. Its a design defect in the
protocols (its been well known that TLS 1.0 had the same oracle as
SSLv3 since only the IV changed between them).
Its not surprising that a PoC demonstrates it against TLS 1.0. Many
have been been waiting for it.
It looks like Ubuntu is going to have to enable TLS 1.1 and 1.2 in
12.04 LTS for clients.
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576.
More information about the openssl-users
mailing list