CVE-2014-3566

Impact:
Important
Public Date:
2014-10-14
IAVA:
2015-B-0012, 2015-B-0013, 2015-B-0014
CWE:
(CWE-636|CWE-757)
Bugzilla:
1152789: CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.

Find out more about CVE-2014-3566 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the version of openssl as shipped with Red Hat Enterprise Linux 5, 6 and 7, Red Hat JBoss Enterprise Application Platform 5 and 6, and Red Hat JBoss Web Server 1 and 2, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1.

This issue affects the version of nss as shipped with Red Hat Enterprise Linux 5, 6 and 7.

Additional information can be found in the Red Hat Knowledgebase article:
https://access.redhat.com/articles/1232123

CVSS v2 metrics

Base Score 5
Base Metrics AV:N/AC:L/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Satellite Capsule 6.0 RHBA-2014:1857 2014-11-13
Red Hat Satellite 5.6 (RHEL v.5) (java-1.6.0-ibm) RHSA-2015:0264 2015-02-24
Red Hat Satellite 6.0 RHBA-2014:1857 2014-11-13
Oracle Java for Red Hat Enterprise Linux 7 (java-1.7.0-oracle) RHSA-2015:0079 2015-01-22
Oracle Java for Red Hat Enterprise Linux 6 (java-1.7.0-oracle) RHSA-2015:0079 2015-01-22
Red Hat JBoss Web Server 2.1 RHSA-2014:1920 2014-12-01
Red Hat JBoss Web Platform 5.2 RHSA-2015:0011 2015-01-05
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2015:0012 2015-01-05
Red Hat Satellite Capsule 6.0 RHBA-2014:1857 2014-11-13
Oracle Java for Red Hat Enterprise Linux 6 (java-1.8.0-oracle) RHSA-2015:0080 2015-01-22
RHOSE Client 2.0 (openshift-origin-node-proxy) RHSA-2015:1546 2015-08-04
RHOSE Client 2.0 (openshift-origin-node-proxy) RHSA-2015:1545 2015-08-04
Red Hat Satellite 6.0 RHBA-2014:1857 2014-11-13
Oracle Java for Red Hat Enterprise Linux 6 (java-1.6.0-sun) RHSA-2015:0086 2015-01-26
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.1-ibm) RHSA-2014:1880 2014-11-20
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.5.0-ibm) RHSA-2014:1881 2014-11-20
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.0-ibm) RHSA-2014:1882 2014-11-20
Red Hat Satellite 5.6 (RHEL v.6) (java-1.6.0-ibm) RHSA-2015:0264 2015-02-24
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2015:0010 2015-01-05
Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) RHSA-2015:0085 2015-01-26
Red Hat Enterprise Linux Supplementary (v. 7) (java-1.7.1-ibm) RHSA-2014:1880 2014-11-20
Red Hat Enterprise Linux 7 (java-1.7.0-openjdk) RHSA-2015:0067 2015-01-21
Red Hat Enterprise Linux 5 (java-1.7.0-openjdk) RHSA-2015:0068 2015-01-20
Oracle Java for Red Hat Enterprise Linux 5 (java-1.6.0-sun) RHSA-2015:0086 2015-01-26
Red Hat Enterprise Linux 6 (java-1.8.0-openjdk) RHSA-2015:0069 2015-01-21
Red Hat Enterprise Linux Supplementary 5 (java-1.7.0-ibm) RHSA-2014:1876 2014-11-19
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) RHSA-2014:1877 2014-11-19
Red Hat Enterprise Linux 6 (java-1.7.0-openjdk) RHSA-2015:0067 2015-01-21
Oracle Java for Red Hat Enterprise Linux 5 (java-1.7.0-oracle) RHSA-2015:0079 2015-01-22
Red Hat Enterprise Linux 7 (java-1.6.0-openjdk) RHSA-2015:0085 2015-01-26
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm) RHSA-2014:1877 2014-11-19
Red Hat Enterprise Linux 6 (java-1.6.0-openjdk) RHSA-2015:0085 2015-01-26
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) RHSA-2014:1881 2014-11-20
Oracle Java for Red Hat Enterprise Linux 7 (java-1.6.0-sun) RHSA-2015:0086 2015-01-26

Affected Packages State

Platform Package State
Red Hat OpenStack Platform 9.0 puppet Will not fix
Red Hat OpenStack Platform 8.0 (Liberty) puppet Will not fix
Red Hat OpenShift Enterprise 2 jenkins Affected
Red Hat OpenShift Enterprise 1 jenkins Will not fix
Red Hat JBoss EWS 1 openssl Will not fix
Red Hat Gluster Storage 2.1 openssl Affected
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 puppet Will not fix
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 puppet Will not fix
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 puppet Will not fix
Red Hat Enterprise Linux 7 openssl098e Affected
Red Hat Enterprise Linux 7 nss Affected
Red Hat Enterprise Linux 7 openssl Affected
Red Hat Enterprise Linux 7 gnutls Under investigation
Red Hat Enterprise Linux 6 openssl Affected
Red Hat Enterprise Linux 6 gnutls Under investigation
Red Hat Enterprise Linux 6 nss Affected
Red Hat Enterprise Linux 5 openssl097a Affected
Red Hat Enterprise Linux 5 openssl Affected
Red Hat Enterprise Linux 5 gnutls Under investigation
Red Hat Enterprise Linux 5 nss Affected
RHEV-M for Servers mingw-virt-viewer Affected
OpenStack 6 Installer for RHEL 7 puppet Will not fix

Last Modified