Overview

POODLE is a medium-severity TLS vulnerability disclosed in early October, 2014. Its mechanism of action is to force a downgrade to SSLv3 during TLS connection setup, then exploit a padding vulnerability in SSLv3's use of CBC mode to reveal some bytes of plain text (but not all)

CVE-2014-3566 -- medium vulnerability

As a vulnerabilities it is quite difficult to exploit; it requires an active middle person between two TLS endpoints; in addition, the victim must voluntarily interact with the attack mechanism (e.g. through browser XSS injection).

To familiarize yourself with your OS vendor's response to these disclosures, refer to your vendor's security information portal and search by CVE name:

  • RedHat -- online CVE tracker
  • CentOS -- centos-announce mailing list
  • Ubuntu -- online CVE tracker

For specific information on CVE-2014-6271:

For specific information on CVE-2014-7169:

Note that the patched package version, when available, is noted for every vulnerability. In most cases a direct link is provided to the updated package files.

Resolution

RightScale's hosts were upgraded to support SCSV the day after the vulnerability was announced. We strongly urge our clients to upgrade their SSL libraries to a version that supports SCSV, which will render them immune to POODLE attacks.

RightScale is preparing to announce end-of-life for SSLv3 support in all of its Internet-facing hosts. We are reaching out to affected customers now, and will disable SSLv3 permanently when the customer impact has been addressed.

We have published a script that will automatically update the OpenSSL package of any Linux instance to add the SCSV functionality introduced in the latest OpenSSL packages, which can be found here. For Windows instances hosting SSL endpoints disabling support for SSL v3 is suggested, and for clients is to not force SSL v3, as many endpoints are moving away from supporting it and no connection will be allowed.

Test your SSL endpoint