On October 14th word came out of a vulnerability recently uncovered by Google’s security team, affecting the SSLv3 protocol. It’s been assigned the CVE-2014-3566 label , while going around under the alias of POODLE (Padding Oracle On Downgraded Legacy Encryption) . A very detailed description of its implications can be found here: https://www.openssl.org/~bodo/ssl-poodle.pdf.
This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.
The conditions that are required for the attack to be applicable are hard to obtain. In particular, the attacker needs to become a man-in-the-middle between the attacked client and server, and to generate, block and modify client messages to the server and vice versa.
However,to stay on the safe side, it is recommended that you disable SSLv3 server and client implementations wherever possible. Albeit generally obsolete,SSLv3 usage has not yet been completely decommissioned : this vulnerability can be exploited if you are using TLS , but a downgrade dance is implemented for SSL handshakes . To mitigate this , TLS implementations should make use of TLS Fallback SCSV.
Bellow are 2 ways you can check if you have SSLv3 enabled , using either OpenSSL or NMap :
openssl s_client -connect : -ssl3
nmap --script ssl-enum-ciphers -p 443 HOSTNAME
Considerations for cloud deployments :
- If you are deployed on AWS , we strongly suggest acting up on their recommendations :https://aws.amazon.com/security/security-bulletins/CVE-2014-3566-advisory/
- If you are on Google Cloud or Microsoft Azure , note that no official advisory has been issued yet, we are following-up with them and will update this post once we have more info.
Your Cloud Experts