Re: Being vulnerable to POODLE

[Gsunde Orangen <gsunde.orangen () gmail com>]

On 26.12.2015, 11:41 gremlin () gremlin ru wrote:
> On 2015-12-26 07:28:52 +0000, Sevan Janiyan wrote:
>
>  > Hi, If you have a piece of software which is vulnerable to POODLE,
>  > should a CVE be requested for it or should CVE-2014-3566 just be
>  > referenced in any advisories published?
>
> The POODLE is an OpenSSL vulnerability, so referencing CVE-2014-3566
> should be enough.
Nope, it is not a vulnerability specific to OpenSSL, but a design
weakness in the SSLv3 protocol - so all implementations of SSLv3 are
affected. I would use the same CVE-2014-3566 for all software that still
uses SSLv3.
This is different to "POODLE TLS", where some implementations (but not
OpenSSL) contained a similar vulnerability in their implementation of
the TLS 1.0 protocol (although the TLS 1.0 standard itself does not have
it). In this case different CVE IDs are suggested - see Mitre's
statement at [1]
"POODLE TLS" is references in multiple CVEs, see [2]

[1] http://seclists.org/oss-sec/2014/q4/1003
[2] https://web.nvd.nist.gov/view/vuln/search-results?query=poodle%20tls

>  > It turns out that CoovaChilli is vulnerable to POODLE & I'd
>  > like to follow the correct procedure regarding disclosure. There's
>  > a fix pending due to needing further testing at which point an
>  > advisory will be published with the necessary details.
>
> Does the update of OpenSSL eliminate this vulnerability?
No - see above...

Gsunde