Virtual Router/ Firewall/ VPN

Reply
Highlighted
Occasional Contributor
Posts: 5
Registered: ‎04-09-2015

CVE-2014-3566 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Hi There

 

I was looking for security release notes and came across only one document which says this "CVE-2014-3566 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)" has an impact on Vyattav Router.

 

Is there anyone on the forum having further information on this vulnerability i.e. proposed solution which we have to implement or any particular release has its fix in place now. I assume latest vyos version is 6.7R7 and we are running 6.7R6.

 

Thanks in advance !!

Khiali

 

Occasional Contributor
Posts: 5
Registered: ‎04-09-2015

Re: CVE-2014-3566 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Sorry we are running version 6.6R5 which is quite old.

 

Version: VSE6.6R5
Description: Brocade Vyatta 5415 vRouter 6.6 R5

 

######################################

 

and I also got information from 6.7R7 release notes that this vulnerability is fixed in 6.7R4.

 

 

6.7R4 RELEASE
Release 6.7R4 resolves the following security bulletins:

• [CVE-2014-3566] The “POODLE” issue—When the SSL protocol 3.0 is used in
         OpenSSL through 1.0.1i and other products, it uses nondeterministic cipher-block
        chaining (CBC) padding which makes it easier for “man-in-the-middle” attackers to
           obtain cleartext data through a padding-Oracle attack.

Occasional Contributor
Posts: 5
Registered: ‎04-09-2015

Re: CVE-2014-3566 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

I have few other SSL vulnerabilities. It would be great if someone can shed some light that by upgrdaing to latest version, all of them will be fixed or Brocade is still investigating ?

 

http://www.tenable.com/plugins/index.php?view=single&id=20007

 

SSL Version 2 and 3 Protocol Detection

---------------------------------

 

http://www.tenable.com/plugins/index.php?view=single&id=69551

SSL Certificate Chain Contains RSA Keys Less Than 2048 bits

 

---------------------------------

 

http://www.tenable.com/plugins/index.php?view=single&id=65821

SSL RC4 Cipher Suites Supported

Frequent Contributor
Posts: 95
Registered: ‎03-23-2015

Re: CVE-2014-3566 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Hi @khiali,

 

I brought this up with our product team and below is their response. I hope it helps.

 

"The POODLE security vulnerability was address in Vyatta 5400 6.7R4 release. 6.7R6 also includes fix for the GHOST (CVE-2015-0235 GHOST) security vulnerability"

Dennis Smith
Manager Brocade Communities
@DennisMSmith
Broadcom
Posts: 5
Registered: ‎02-02-2015

Re: CVE-2014-3566 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

 

In addition to the release notes, I also recommend that you check Brocade Security Advisories page that includes the list of the vulnerabilities that have been addressed for different versions of Vyatta

 

http://www.brocade.com/services-support/security-advisories/index.page

Occasional Contributor
Posts: 5
Registered: ‎04-09-2015

Re: CVE-2014-3566 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Thanks for update.

Occasional Contributor
Posts: 5
Registered: ‎04-09-2015

Re: CVE-2014-3566 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

is there anyway to subscribe for security vulnerabilities in relation to Vyatta devices ?

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook