CVE-2014-8730

Impact:
Moderate
Public Date:
2014-12-09
CWE:
CWE-327
Bugzilla:
1171965: CVE-2014-8730 TLS: incorrect check of padding bytes when using CBC cipher suites

The MITRE CVE dictionary describes this issue as:

The SSL profiles component in F5 BIG-IP LTM, APM, and ASM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, AAM 11.4.0 through 11.5.1, AFM 11.3.0 through 11.5.1, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, PEM 11.3.0 through 11.6.0, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.4.1 and BIG-IQ Cloud and Security 4.0.0 through 4.4.0 and Device 4.2.0 through 4.4.0, when using TLS 1.x before TLS 1.2, does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). NOTE: the scope of this identifier is limited to the F5 implementation only. Other vulnerable implementations should receive their own CVE ID, since this is not a vulnerability within the design of TLS 1.x itself.

Find out more about CVE-2014-8730 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Not vulnerable. This issue does not affect the version of openssl, nss and gnutls as shipped in Red Hat Enterprise Linux 5, 6 and 7.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 5
Base Metrics AV:N/AC:L/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 nss Not affected
Red Hat Enterprise Linux 7 openssl Not affected
Red Hat Enterprise Linux 6 openssl Not affected
Red Hat Enterprise Linux 6 nss Not affected
Red Hat Enterprise Linux 5 openssl Not affected
Red Hat Enterprise Linux 5 nss Not affected

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.