Available Exploits 

• HTTP SSL/TLS Version Detection (POODLE scanner)

Description

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

References

• APPLE-APPLE-SA-2014-10-16-1
• APPLE-APPLE-SA-2014-10-16-3
• APPLE-APPLE-SA-2014-10-16-4
• APPLE-APPLE-SA-2014-10-20-1
• APPLE-APPLE-SA-2014-10-20-2
• APPLE-APPLE-SA-2015-01-27-4
• APPLE-APPLE-SA-2015-09-16-2
• BID-70574
• CERT-TA14-290A
• CERT-VN-577193
• CVE-2014-3566
• DEBIAN-DSA-3053
• DEBIAN-DSA-3144
• DEBIAN-DSA-3147
• DEBIAN-DSA-3253
• DEBIAN-DSA-3489
• DISA_SEVERITY-Category I
• DISA_VMSKEY-V0058513
• DISA_VMSKEY-V0058515
• DISA_VMSKEY-V0058517
• DISA_VMSKEY-V0061081
• IAVM-2015-A-0154
• IAVM-2015-B-0012
• IAVM-2015-B-0013
• IAVM-2015-B-0014
• NETBSD-NetBSD-SA2014-015
• REDHAT-RHSA-2014:1652
• REDHAT-RHSA-2014:1653
• REDHAT-RHSA-2014:1692
• REDHAT-RHSA-2014:1876
• REDHAT-RHSA-2014:1877
• REDHAT-RHSA-2014:1880
• REDHAT-RHSA-2014:1881
• REDHAT-RHSA-2014:1882
• REDHAT-RHSA-2014:1920
• REDHAT-RHSA-2014:1948
• REDHAT-RHSA-2015:0068
• REDHAT-RHSA-2015:0079
• REDHAT-RHSA-2015:0080
• REDHAT-RHSA-2015:0085
• REDHAT-RHSA-2015:0086
• REDHAT-RHSA-2015:0264
• REDHAT-RHSA-2015:0698
• REDHAT-RHSA-2015:1545
• REDHAT-RHSA-2015:1546
• URL: https://support.apple.com/en-us/HT204244

Solution

Related Vulnerabilities

• Palo Alto Networks PAN-SA-2014-0005 (CVE-2014-3566): SSL 3.0 MITM Attack
• SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
• OS X security update 2015-001 for AFP Server (CVE-2014-3566)
• Oracle Solaris 11: CVE-2014-3566: Vulnerability in Multiple Components
• Juniper Junos OS: 2014-10 Out of Cycle Security Bulletin: Multiple products affected by SSL "POODLE" vulnerability (JSA10656) (CVE-2014-3566)
• IBM WebSphere Application Server: CVE-2014-3566: IBM Potential Security Vulnerabilities fixed in IBM WebSphere Application Server
• RHSA-2015:0067: java-1.7.0-openjdk security update
• Amazon Linux AMI: Security patch for nss (ALAS-2014-429) (CVE-2014-3566)
• HP-UX: CVE-2014-3566: Running OpenSSL, Remote Denial of Service (DoS), Unauthorized Access, Man-in-the-Middle (MitM) Attack
• ELSA-2014-1653 Moderate: Oracle Linux openssl security update
• Cisco IOS: CVE-2014-3566: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
• Amazon Linux AMI: Security patch for java-1.6.0-openjdk (ALAS-2015-480) (multiple CVEs)
• ELSA-2015-0067 Critical: Oracle Linux java-1.7.0-openjdk security update
• USN-2486-1: OpenJDK 6 vulnerabilities
• OpenSSL SSL 3.0 Fallback protection (CVE-2014-3566)
• RHSA-2014:1882: java-1.7.0-ibm security update
• RHSA-2015:0080: java-1.8.0-oracle security update
• ELSA-2015-0069 Important: Oracle Linux java-1.8.0-openjdk security update
• DSA-3147-1 openjdk-6 -- security update
• HP Systems Insight Manager - HPSBMU03261 (CVE-2014-3566): OpenSSL on Linux and Windows, Remote Disclosure of Information
• Debian: CVE-2014-3566: lighttpd -- security update
• RHSA-2014:1881: java-1.5.0-ibm security update
• F5 Networks: K15702 (CVE-2014-3566): SSLv3 vulnerability CVE-2014-3566
• Sun Patch: Indexing and Search Service 1u5-29.15600: core patch
• TLS/SSL Server Supports SSLv3
• RHSA-2015:0086: java-1.6.0-sun security update
• Amazon Linux AMI: Security patch for java-1.8.0-openjdk (ALAS-2015-472) (multiple CVEs)
• Sun Patch: SunOS 5.10: wanboot patch
• ELSA-2015-0085 Important: Oracle Linux java-1.6.0-openjdk security update
• RHSA-2015:0079: java-1.7.0-oracle security update
• Cent OS: CVE-2014-3566: CESA-2015:0085 (java-1.6.0-openjdk)
• FreeBSD: davmail -- fix potential CVE-2014-3566 vulnerability (POODLE) (CVE-2014-3566)
• RHSA-2015:1545: node.js security update
• DSA-3144-1 openjdk-7 -- security update
• RHSA-2015:0068: java-1.7.0-openjdk security update
• Sun Patch: SunOS 5.10_x86: openssl patch
• ELSA-2015-0068 Important: Oracle Linux java-1.7.0-openjdk security update
• HP System Management Homepage - HPSBMU03260 (CVE-2014-3566): OpenSSL on Linux and Windows, Remote Disclosure of Information
• Cisco NX-OS: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability (Multiple CVEs)
• RHSA-2015:0085: java-1.6.0-openjdk security update
• FreeBSD: (Multiple Advisories) (CVE-2014-3566): lynx -- multiple vulnerabilities
• ELSA-2014-1652 Important: Oracle Linux openssl security update
• Sun Patch: VM Server for SPARC 3.1: ldmd patch
• Cisco SAN-OS: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability (CVE-2014-3566)
• IBM AIX: java_feb2015_advisory, java_oct2014_advisory, nettcp_advisory, openssl_advisory11 (CVE-2014-3566): Vulnerability in IBM Java SDK affects AIX
• RHSA-2014:1877: java-1.6.0-ibm security update
• RHSA-2014:1880: java-1.7.1-ibm security update
• Gentoo Linux: CVE-2014-3566: Asterisk: Multiple Vulnerabilities
• Java CPU January 2015 Java SE, Java SE Embedded, JRockit JSSE vulnerability (CVE-2014-3566)
• Amazon Linux AMI: Security patch for java-1.7.0-openjdk (ALAS-2015-471) (multiple CVEs)
• DSA-3053-1 openssl -- security update
• DSA-3253-1 pound -- security update
• FreeBSD: asterisk -- Asterisk Susceptibility to POODLE Vulnerability (CVE-2014-3566)
• RHSA-2015:0264: Red Hat Satellite IBM Java Runtime security update
• OS X update for Secure Transport (CVE-2014-3566)
• RHSA-2014:1876: java-1.7.0-ibm security update
• Amazon Linux AMI: Security patch for openssl (ALAS-2014-426) (CVE-2014-3566)
• Sun Patch: Indexing and Search Service 1u5-29.15600_x86: core patch
• RHSA-2015:0069: java-1.8.0-openjdk security update
• SUSE: CVE-2014-3566: SUSE Linux Security Advisory
• Sun Patch: SunOS 5.10: openssl patch
• Oracle Linux: CVE-2014-3566: ELSA-2016-3558 - openssl security update
• TLS/SSL Server is enabling the POODLE attack
• FreeBSD: OpenSSL -- multiple vulnerabilities (FreeBSD-SA-14:23.openssl) (Multiple CVEs)
• Oracle Database: Critical Patch Update - July 2017 (CVE-2014-3566)
• USN-2487-1: OpenJDK 7 vulnerabilities