CVE-2014-3566

Impact:
Important
Public Date:
2014-10-14
IAVA:
2015-B-0012, 2015-B-0013, 2015-B-0014
CWE:
(CWE-636|CWE-757)
Bugzilla:
1152789: CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.

Find out more about CVE-2014-3566 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the version of openssl as shipped with Red Hat Enterprise Linux 5, 6 and 7, Red Hat JBoss Enterprise Application Platform 5 and 6, and Red Hat JBoss Web Server 1 and 2, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1.

This issue affects the version of nss as shipped with Red Hat Enterprise Linux 5, 6 and 7.

Additional information can be found in the Red Hat Knowledgebase article:
https://access.redhat.com/articles/1232123

CVSS v2 metrics

Base Score 5
Base Metrics AV:N/AC:L/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Satellite Capsule 6.0 RHBA-2014:1857 2014-11-13
Red Hat Satellite 5.6 (RHEL v.5) (java-1.6.0-ibm) RHSA-2015:0264 2015-02-24
Red Hat Satellite 6.0 RHBA-2014:1857 2014-11-13
Oracle Java for Red Hat Enterprise Linux 7 (java-1.7.0-oracle) RHSA-2015:0079 2015-01-22
Oracle Java for Red Hat Enterprise Linux 6 (java-1.7.0-oracle) RHSA-2015:0079 2015-01-22
Red Hat JBoss Web Server 2.1 RHSA-2014:1920 2014-12-01
Red Hat JBoss Web Platform 5.2 RHSA-2015:0011 2015-01-05
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2015:0012 2015-01-05
Red Hat Satellite Capsule 6.0 RHBA-2014:1857 2014-11-13
Oracle Java for Red Hat Enterprise Linux 6 (java-1.8.0-oracle) RHSA-2015:0080 2015-01-22
RHOSE Client 2.0 (openshift-origin-node-proxy) RHSA-2015:1546 2015-08-04
RHOSE Client 2.0 (openshift-origin-node-proxy) RHSA-2015:1545 2015-08-04
Red Hat Satellite 6.0 RHBA-2014:1857 2014-11-13
Oracle Java for Red Hat Enterprise Linux 6 (java-1.6.0-sun) RHSA-2015:0086 2015-01-26
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.1-ibm) RHSA-2014:1880 2014-11-20
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.5.0-ibm) RHSA-2014:1881 2014-11-20
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.0-ibm) RHSA-2014:1882 2014-11-20
Red Hat Satellite 5.6 (RHEL v.6) (java-1.6.0-ibm) RHSA-2015:0264 2015-02-24
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2015:0010 2015-01-05
Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) RHSA-2015:0085 2015-01-26
Red Hat Enterprise Linux Supplementary (v. 7) (java-1.7.1-ibm) RHSA-2014:1880 2014-11-20
Red Hat Enterprise Linux 7 (java-1.7.0-openjdk) RHSA-2015:0067 2015-01-21
Red Hat Enterprise Linux 5 (java-1.7.0-openjdk) RHSA-2015:0068 2015-01-20
Oracle Java for Red Hat Enterprise Linux 5 (java-1.6.0-sun) RHSA-2015:0086 2015-01-26
Red Hat Enterprise Linux 6 (java-1.8.0-openjdk) RHSA-2015:0069 2015-01-21
Red Hat Enterprise Linux Supplementary 5 (java-1.7.0-ibm) RHSA-2014:1876 2014-11-19
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) RHSA-2014:1877 2014-11-19
Red Hat Enterprise Linux 6 (java-1.7.0-openjdk) RHSA-2015:0067 2015-01-21
Oracle Java for Red Hat Enterprise Linux 5 (java-1.7.0-oracle) RHSA-2015:0079 2015-01-22
Red Hat Enterprise Linux 7 (java-1.6.0-openjdk) RHSA-2015:0085 2015-01-26
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm) RHSA-2014:1877 2014-11-19
Red Hat Enterprise Linux 6 (java-1.6.0-openjdk) RHSA-2015:0085 2015-01-26
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) RHSA-2014:1881 2014-11-20
Oracle Java for Red Hat Enterprise Linux 7 (java-1.6.0-sun) RHSA-2015:0086 2015-01-26
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.
Last Modified