oss-sec mailing list archives
Re: Being vulnerable to POODLE
From: Sevan Janiyan <venture37 () geeklan co uk>
Date: Sat, 26 Dec 2015 14:02:26 +0000
On 26/12/2015 11:05, Gsunde Orangen wrote:
Nope, it is not a vulnerability specific to OpenSSL, but a design weakness in the SSLv3 protocol - so all implementations of SSLv3 are affected. I would use the same CVE-2014-3566 for all software that still uses SSLv3. This is different to "POODLE TLS", where some implementations (but not OpenSSL) contained a similar vulnerability in their implementation of the TLS 1.0 protocol (although the TLS 1.0 standard itself does not have it). In this case different CVE IDs are suggested - see Mitre's statement at [1] "POODLE TLS" is references in multiple CVEs, see [2] [1] http://seclists.org/oss-sec/2014/q4/1003 [2] https://web.nvd.nist.gov/view/vuln/search-results?query=poodle%20tls
Ok, so in this case, changing the source code to set the context options to exclude SSLv2 & v3 was all that was made. The code base is a consumer of the OpenSSL API & relies on that to establish SSL, it does not implement any crypto itself locally. Sevan
Current thread:
- Being vulnerable to POODLE Sevan Janiyan (Dec 26)
- Re: Being vulnerable to POODLE gremlin (Dec 26)
- Re: Being vulnerable to POODLE Gsunde Orangen (Dec 26)
- Re: Being vulnerable to POODLE Sevan Janiyan (Dec 26)
- Re: Being vulnerable to POODLE Gsunde Orangen (Dec 26)
- Re: Being vulnerable to POODLE Florian Weimer (Dec 28)
- Re: Being vulnerable to POODLE Sevan Janiyan (Dec 28)
- Re: Being vulnerable to POODLE Florian Weimer (Dec 28)
- Re: Being vulnerable to POODLE Sevan Janiyan (Dec 29)
- Re: Being vulnerable to POODLE Sevan Janiyan (Dec 28)
- Re: Being vulnerable to POODLE gremlin (Dec 26)