| VID |
22636 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the remote web server uses a version of OpenSSL 1.0.0 prior to 1.0.0o. The OpenSSL library is, therefore, affected by the following vulnerabilities :
- An error exists related to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. A man-in-the-middle attacker can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. This is also known as the 'POODLE' issue. (CVE-2014-3566)
- An error exists related to session ticket handling that can allow denial of service attacks via memory leaks. (CVE-2014-3567)
- An error exists related to the build configuration process and the 'no-ssl3' build option that allows servers and clients to process insecure SSL 3.0 handshake messages. (CVE-2014-3568)
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
https://www.openssl.org/news/openssl-1.0.0-notes.html
https://www.openssl.org/news/secadv_20141015.txt
https://www.openssl.org/news/vulnerabilities.html
https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
* Platforms Affected:
OpenSSL 1.0.0 prior to 1.0.0o
Linux Any version
Unix Any version
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of OpenSSL (1.0.0o or later), available from the OpenSSL Web site at http://www.openssl.org/ |
| Related URL |
CVE-2014-3566,CVE-2014-3567,CVE-2014-3568 (CVE) |
| Related URL |
70574,70585,70586 (SecurityFocus) |
| Related URL |
(ISS) |
|
