CVE-2014-3566
Publication date 14 October 2014
Last updated 24 July 2024
Ubuntu priority
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| nss | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| openjdk-6 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 6b34-1.13.6-1ubuntu0.14.04.1
|
|
| openjdk-7 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 7u75-2.5.4-1~trusty1
|
|
| openssl | 24.10 oracular |
Fixed 1.0.1f-1ubuntu9
|
| 24.04 LTS noble |
Fixed 1.0.1f-1ubuntu9
|
|
| 22.04 LTS jammy |
Fixed 1.0.1f-1ubuntu9
|
|
| 20.04 LTS focal |
Fixed 1.0.1f-1ubuntu9
|
|
| 18.04 LTS bionic |
Fixed 1.0.1f-1ubuntu9
|
|
| 16.04 LTS xenial |
Fixed 1.0.1f-1ubuntu9
|
|
| 14.04 LTS trusty |
Fixed 1.0.1f-1ubuntu2.7
|
|
| openssl098 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| pound | 24.10 oracular |
Needs evaluation
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Vulnerable
|
|
Notes
mdeslaur
We recommend disabling SSLv3 on servers, if possible. Community-provided information on disabling SSLv3 can be found here: http://askmyasnchisdf.eu.org/a/537196 SANS provided information on disabling SSLv3 can be found here: https://isc.sans.edu/forums/diary/POODLE+Turning+off+SSLv3+for+various+servers+and+client+/18837
Patch details
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.4 · Low
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-2487-1
- OpenJDK 7 vulnerabilities
- 28 January 2015
- USN-2486-1
- OpenJDK 6 vulnerabilities
- 27 January 2015
Other references
- https://www.openssl.org/~bodo/ssl-poodle.pdf
- https://www.imperialviolet.org/2014/10/14/poodle.html
- http://marc.info/?l=openssl-dev&m=141333049205629&w=2
- https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
- https://www.openssl.org/news/secadv_20141015.txt
- http://askmyasnchisdf.eu.org/a/537196
- https://www.cve.org/CVERecord?id=CVE-2014-3566