Information regarding the POODLE vulnerability affecting SSL versions 2 and 3.
Red Hat Product Security has been made aware of a vulnerability in the SSLv3 protocol, which has been assigned CVE-2014-3566 and commonly referred to as 'POODLE'. All implementations of SSLv3 are affected.
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. More details are available in the upstream OpenSSL advisory.
POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).
Avoiding Man-In-The-Middle Attacks
Exploiting this vulnerability is not easily accomplished. Man-in-the-middle attacks require large amounts of time and resources. While likelihood is low, Red Hat recommends implementing only TLS to avoid flaws in SSL.
Avoiding a Fallback Attack
Several vendors have provided patches to cryptographic libraries introducing a TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV). This fallback mechanism allows clients to indicate to a server that they support newer SSL/TLS versions than those initially proposed. In the event of suspicious behavior where a client attempts to fallback to an older version when newer versions are supported, the server will abort the connection.
Currently, only HTTPs clients perform out-of-band protocol fallback.
Products that Red Hat support currently vulnerable from a client side perspective are:
- Curl command line tool and libraries
Currently, Google's Chromium is the only web based browser supported by Red Hat that will handle this functionality client side.
To avoid the fallback attack, supported browsers (only Chromium at this time) must interact with a server supporting TLS_FALLBACK_SCSV negotiation
The server side also needs to be patched to support SCSV extension, and does not need a rebuild with the patched crypto library. Again, due to current lack of support in most common web browsers, any changes server side will only be relevant when client based browsers support the more secure measures.
For non HTTPs clients:
Disabling SSLv3 in favor of at least a TLS connection is recommended. However in disabling SSL it is important to understand that certain applications that do not support TLS could default to plain-text transmission which would be worse from a security perspective than the vulnerable SSL protocol. Before disabling SSL on services, please carefully consider these measures.
Red Hat Support Subscribers
As a Red Hat customer the easiest way to check vulnerability and confirm remediation is the Red Hat Access Lab: SSLv3 (POODLE) Detector
If you are not a subscriber, the script attached to this article (
poodle.sh) can be run against a server to check whether it has SSLv3 enabled.
NOTE: This script takes the hostname of the server to check as the first argument and an optional port as the second. By default it will check the local system and port 443.
The following guides have been established to help disable SSLv3 for affected products. Red Hat is continuously working at this time to provide additional use cases and guides to disable SSLv3. Note that if you use a third-party service to terminate SSL/TLS connections, then SSLv3 needs to be disabled by the service. Changes on your systems are not necessary in this case.
|Red Hat Enterprise Linux||Tomcat, Firefox/Chromium, httpd, vsftpd, Dovecot/Postfix, sendmail, CUPS, other components|
|JBoss Enterprise Middleware||Tomcat/JBoss Web, httpd, EJB (EAP 5), EJB (EAP 6), JMS (EAP 5), Camel, Jetty, Karaf, Fuse, A-MQ|
|Red Hat Satellite||Satellite Configuration|
|Red Hat Certificate System||Tomcat|
|Inktank Ceph Enterprise||httpd|
|Red Hat Enterprise OpenShift||OpenShift Configuration , RHC client tools|
|Red Hat Enterprise Linux OpenStack Platform||httpd|
|Red Hat CloudForms||httpd|
|Red Hat Directory Server||Directory Server Configuration|
|Red Hat Enterprise Virtualization||RHEV-M|
|Red Hat JBoss Enterprise Application Platform||EJB 5, EJB 6, JMS 5|
|Red Hat Storage Console||httpd|
|Red Hat Update Infrastructure||pulp, httpd|
For More Information
If you have questions or concerns, please contact Red Hat Technical Support