oss-sec mailing list archives
CVE question: Return of POODLE
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Tue, 09 Dec 2014 11:51:48 +0530
Hi All, Before i ask my question:It seems some TLS implementations may be vulnerable to POODLE like attack if they use SSL 3.0 type padding and the padding bytes are not checked by the implementation.
https://www.imperialviolet.org/2014/12/08/poodleagain.html https://devcentral.f5.com/articles/cve-2014-8730-padding-issue-8151CVE-2014-8730 was assigned to this issue (by MITRE i suppose) and its not clear if this CVE has been assigned to their code or to the protocol weakness.
I have not checked if any implementations are vulnerable, but could MITRE please confirm if its ok to reuse this CVE if any crypto-libs are found vulnerable, or if they plan to assign another CVE id?
-- Huzaifa Sidhpurwala / Red Hat Product Security Team
Current thread:
- CVE question: Return of POODLE Huzaifa Sidhpurwala (Dec 08)
- Re: CVE question: Return of POODLE Steven M. Christey (Dec 09)