An attack against CBC-mode ciphers in SSL 3.0 can be exploited by an active man-in-the-middle attacker by forcing a downgrade from TLS to SSL 3.0.
Security advisory: https://www.openssl.org/~bodo/ssl-poodle.pdf
Corporate Products:
Consumer Products:
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. The vulnerability allows a man-in-the-middle attacker to decrypt cipher text using a padding oracle side-channel attack and affects SSL 3.0. This vulnerability does not affect the TLS encryption mechanism. Successful exploitation could lead to information disclosure by recovering small amounts of plaintext from an encrypted SSL 3.0 connection. CVE-2014-3566 has been assigned for this vulnerability.
This advisory will be updated as more information becomes available.
Note: Products and platforms not listed in this advisory are NOT affected by POODLE.
The following products/platforms are affected and are already patched.
Product/Platform | Remarks |
---|---|
F-Secure Messaging Security Gateway 7.1 – 7.5 | Verify that patch has been installed in the appliance. MSG 7.1 – Patch 2092 MSG 7.2 – Patch 2093 MSG 7.5 – Patch 2094 |
F-Secure Protection Service for Email 7.1 – 7.5 | Verify that patch has been installed in the appliance. PSE 7.1 – Patch 2092 PSE 7.2 – Patch 2093 PSE 7.5 – Patch 2094 |
Safe Anywhere for PC | The client only creates connections at its own initiative, not controllable by a man-in-the-middle attacker. No patch is required for this product. |
Safe Anywhere for Mac | The client only creates connections at its own initiative, not controllable by a man-in-the-middle attacker. No patch is required for this product. |
F-Secure Freedome | F-Secure Freedome servers has been updated to disable SSL 3.0 encryption protocol. |
F-Secure Key | F-Secure Key servers has been updated to disable SSL 3.0 encryption protocol. |
The following products/platforms are affected and are already patched.
Product/Platform | Remarks |
---|---|
F-Secure Server Security |
|
F-Secure Email and Server Security |
|
F-Secure PSB Server Security |
|
F-Secure PSB Email and Server Security |
|
F-Secure Linux Security |
|
Date | Changes |
---|---|
23 October 2014 | First advisory published. |
24 October 2014 | F-Secure Search and Safe Avenue removed as they do not use SSL3.0 by default and are thus not affected. Updated Safe Anywhere for PC remark for clarification. |
Date Issued: 2014-10-23
Date Last Updated: 2014-10-24