Re: CVE assignment for POODLE

[Jan Rusnacko <jrusnack () redhat com>]

On 15.10.2014 11:48, Florian Weimer wrote:
> CVE-2014-3566 is currently assigned to an SSL 3.0 protocol vulnerability:
>
> “The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which 
> makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the 
> "POODLE" issue.”
>
> What we seem to be lacking is a CVE assignment for the protocol downgrade “dance” implemented by some browsers, 
> explicitly designed to negate the effect of the downgrade protection in the TLS protocol (the protocol upgrade to TLS 
> 1.0 and beyond is arguably the “fix” for CVE-2014-3566 as it is described above).
There already might be a confusion from how this is presented in relation to Poodle, e.g 
(http://marc.info/?l=openssl-dev&m=141333049205629&w=2):
"Here's a patch for the OpenSSL 1.0.1 branch that adds support for
TLS_FALLBACK_SCSV, which can be used to counter the POODLE attack"

when in fact TLS_FALLBACK_SCSV is a fix for downgrade dance. Additional CVE will help tracking these two issues and 
their fixes separately.
-- 
Jan Rusnacko, Red Hat Product Security