Background InformationPOODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. More details are available in the upstream OpenSSL advisory. POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).
Avoiding Man-In-The-Middle AttacksExploiting this vulnerability is not easily accomplished. Man-in-the-middle attacks require large amounts of time and resources. While likelihood is low, Red Hat recommends implementing only TLS to avoid flaws in SSL.
Avoiding a Fallback AttackSeveral vendors have provided patches to cryptographic libraries introducing a TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV). This fallback mechanism allows clients to indicate to a server that they support newer SSL/TLS versions than those initially proposed. In the event of suspicious behavior where a client attempts to fallback to an older version when newer versions are supported, the server will abort the connection. Currently, only HTTPs clients perform out-of-band protocol fallback.
Products that Red Hat support currently vulnerable from a client side perspective are:
- Curl command line tool and libraries
Disabling SSLv3 in favor of at least a TLS connection is recommended. However in disabling SSL it is important to understand that certain applications that do not support TLS could default to plain-text transmission which would be worse from a security perspective than the vulnerable SSL protocol. Before disabling SSL on services, please carefully consider these measures.
Red Hat Support SubscribersAs a Red Hat customer the easiest way to check vulnerability and confirm remediation is the Red Hat Access Lab: SSLv3 (POODLE) Detector
Non SubscribersIf you are not a subscriber, the script attached to this article (
poodle.sh) can be run against a server to check whether it has SSLv3 enabled. NOTE: This script takes the hostname of the server to check as the first argument and an optional port as the second. By default it will check the local system and port 443.
ResolutionThe following guides have been established to help disable SSLv3 for affected products. Red Hat is continuously working at this time to provide additional use cases and guides to disable SSLv3. Note that if you use a third-party service to terminate SSL/TLS connections, then SSLv3 needs to be disabled by the service. Changes on your systems are not necessary in this case.
|Red Hat Enterprise Linux||Tomcat, Firefox/Chromium, httpd, vsftpd, Dovecot/Postfix, sendmail, CUPS, other components|
|JBoss Enterprise Middleware||Tomcat/JBoss Web, httpd, EJB (EAP 5), EJB (EAP 6), JMS (EAP 5), Camel, Jetty, Karaf, Fuse, A-MQ|
|Red Hat Satellite||Satellite Configuration|
|Red Hat Certificate System||Tomcat|
|Inktank Ceph Enterprise||httpd|
|Red Hat Enterprise OpenShift||OpenShift Configuration , RHC client tools|
|Red Hat Enterprise Linux OpenStack Platform||httpd|
|Red Hat CloudForms||httpd|
|Red Hat Directory Server||Directory Server Configuration|
|Red Hat Enterprise Virtualization||RHEV-M|
|Red Hat JBoss Enterprise Application Platform||EJB 5, EJB 6, JMS 5|
|Red Hat Storage Console||httpd|
|Red Hat Update Infrastructure||pulp, httpd|