oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE question: Return of POODLE

From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Tue, 09 Dec 2014 11:51:48 +0530
Hi All,

Before i ask my question:
It seems some TLS implementations may be vulnerable to POODLE like attack if they use SSL 3.0 type padding and the padding bytes are not checked by the implementation. 

https://www.imperialviolet.org/2014/12/08/poodleagain.html
https://devcentral.f5.com/articles/cve-2014-8730-padding-issue-8151
CVE-2014-8730 was assigned to this issue (by MITRE i suppose) and its not clear if this CVE has been assigned to their code or to the protocol weakness.
I have not checked if any implementations are vulnerable, but could MITRE please confirm if its ok to reuse this CVE if any crypto-libs are found vulnerable, or if they plan to assign another CVE id? 


--
Huzaifa Sidhpurwala / Red Hat Product Security Team
Previous By Date Next
Previous By Thread Next

Current thread: