We do know about the CVE-2014-3566 vulnerability in SSL V3 nicknamed "Poodle." Of course, everything now needs to have a sexy (easy to say) name attached to it instead of saying CVE-2014-3566. I'm kind of surprised there's no logo yet, so here's a picture of a poodle for you to help lighten the mood. 🙂
As of right now, there is not a fix out for it but the recommended action is to disable SSL Version 3 and that's what we've done. It'll revert back to SSL/TLS, which is supported by web browsers.
This one's different. Here's a decent explanation of it:
What you need to know about the SSLv3 “POODLE” flaw (CVE-2014-3566) (fedoramagazine.org)
Here’s the basics: SSL and TLS are standards for secure connections to Internet services. You know that little lock icon (or is it a handbag?) that means your web session is supposed to be secure? That means that some level of secure connection protocol is in use. These protocols have been improved several times over the years for better security, and some of the older versions have problems and really shouldn’t be used anymore.
For compatibility reasons, though, when a client (like your web browser) connects to a server (like https://fedoraproject.org/), they both negotiate the newest version that both sides can understand. If it happens to be something old, that’s what gets used, flaws and all. One particular old version, SSLv3, has some terrible flaws which make it easy for attackers to decrypt your supposedly-secure traffic. Normally, this is not a problem if you’re using a web browser newer than, say, ten years old — the updated, more secure protocol versions will be used. But the “POODLE” attack uses a “man in the middle” attack to confuse the negotiation, tricking the systems into using the insecure old version.
This can be mitigated by limiting the age of the protocol that servers and clients will fall back to. This may break the ability to connect to some very old services or using very old web browsers, but, arguably, those ancient systems were broken already and just plain need to be updated.
So, the bottom line is: on servers and clients, disable SSLv3 (and, of course, older). Updates to Fedora packages which make this the default will be forthcoming, but in the meantime, you can do it manually.
And some more:
POODLE – An SSL 3.0 Vulnerability (CVE-2014-3566) (securityblog.redhat.com)
Red Hat Product Security has been made aware of a vulnerability in the SSL 3.0 protocol, which has been assigned CVE-2014-3566. All implementations of SSL 3.0 are affected. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.
To mitigate this vulnerability, it is recommended that you explicitly disable SSL 3.0 in favor of TLS 1.1 or later in all affected packages.
Again, that's what we've done for our servers. If you want more information about it including the history and technical details, read more the the second article (securityblog.redhat.com) posted here.
-Tony
