SSLv3 "POODLE" Vulnerability CVE-2014-3566
Posted by ngriffin on 15 October 2014 08:10 AM
Websense® Security Labs are aware of a critical vulnerability that exists in SSLv3, dubbed as "POODLE" by the Google Security Team. The vulnerability has also been explained in a security advisory by OpenSSL and given the CVE number CVE-2014-3566.
Readers, take note! This is a major security risk, and you should take action immediately to mitigate this issue. Both Google and Mozilla are planning on removing all support for SSLv3 in their browsers in the coming months. Mozilla Firefox will discontinue support for SSLv3 on November 25 and Google Chrome will also stop supporting SSLv3 "in the coming months".
How is it exploited?
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. TLS (Transport Layer Security) has since superseded SSL, however support for the older SSL version 3.0 still exists in the majority of applications and can therefore lead to software (such as browsers) being forced into using a vulnerable SSLv3 connection.
The vulnerability can be exploited by inducing a client's browser into making multiple browser requests over HTTPS with SSLv3, and inferring details about the encrypted contents that will allow an attacker to compromise the security of SSLv3.
What is the risk?
Websense Security Labs researchers view this as a critical vulnerability that is likely to be exploited in the wild, and can result in significant data theft. Research currently indicates that the vulnerability is only applicable to client-side software, and is most likely to affect web browsers. It is strongly recommended that you take the appropriate steps to secure any affected applications using SSLv3.
What actions should you take?
There are several ways of mitigating this vulnerability. Despite the issue being client-side, taking steps to secure server-side applications will prevent the issue from being exploited in the first place. It is recommended to follow as many of the steps below as possible, listed in order of priority as determined by Websense Security Labs researchers:
Websense Security Labs will continue to monitor this issue as it evolves, and will update this blog accordingly with any significant new information.
Read more »