Oct 15th, 2014
Important SSLv3 (POODLE) vulnerability found in all Linux distributions (CVE-2014-3566)
A flaw named POODLE was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.
In other words, the vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol.
The risk from this vulnerability is that an attacker can exchange over an encrypted connection using that protocol and be intercepted and read.
As NO patch has been released yet by REDHAT current it is highly recommended to use only TLSv1.1 and TLSv1.2. Backwards compatibility can be done using TLSv1.0. It is NOT recommended to use SSLv2 and SSLv3 as they are considered insecure.
SSLv3 for all our Server Management and Monitoring customers have been all disabled.
If you are not a Server Management customer and would like to have this vulnerability patched/disabled please purchase a 1x Hour of Support plan.
Don’t hesitate to contact us for any questions you may have through our Contact Form page or LiveChat!.