CVE-2014-3566
Publication date 14 October 2014
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Status
Package | Ubuntu Release | Status |
---|---|---|
nss | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty |
Not affected
|
|
openjdk-6 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty |
Fixed 6b34-1.13.6-1ubuntu0.14.04.1
|
|
openjdk-7 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty |
Fixed 7u75-2.5.4-1~trusty1
|
|
openssl | 24.10 oracular |
Fixed 1.0.1f-1ubuntu9
|
24.04 LTS noble |
Fixed 1.0.1f-1ubuntu9
|
|
22.04 LTS jammy |
Fixed 1.0.1f-1ubuntu9
|
|
20.04 LTS focal |
Fixed 1.0.1f-1ubuntu9
|
|
18.04 LTS bionic |
Fixed 1.0.1f-1ubuntu9
|
|
16.04 LTS xenial |
Fixed 1.0.1f-1ubuntu9
|
|
14.04 LTS trusty |
Fixed 1.0.1f-1ubuntu2.7
|
|
openssl098 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
pound | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble | Not in release | |
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic | Not in release | |
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed | |
Notes
mdeslaur
We recommend disabling SSLv3 on servers, if possible. Community-provided information on disabling SSLv3 can be found here: http://askubuntu.com/a/537196 SANS provided information on disabling SSLv3 can be found here: https://isc.sans.edu/forums/diary/POODLE+Turning+off+SSLv3+for+various+servers+and+client+/18837
Patch details
Severity score breakdown
Parameter | Value |
---|---|
Base score | 3.4 · Low |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-2487-1
- OpenJDK 7 vulnerabilities
- 28 January 2015
- USN-2486-1
- OpenJDK 6 vulnerabilities
- 27 January 2015
Other references
- https://www.openssl.org/~bodo/ssl-poodle.pdf
- https://www.imperialviolet.org/2014/10/14/poodle.html
- http://marc.info/?l=openssl-dev&m=141333049205629&w=2
- https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
- https://www.openssl.org/news/secadv_20141015.txt
- http://askubuntu.com/a/537196
- https://www.cve.org/CVERecord?id=CVE-2014-3566