RHSA-2015:1545: node.js security update
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:P/I:N/A:N) | October 14, 2014 | August 05, 2015 | February 22, 2018 |
Available Exploits 
Description
Updated node.js packages that fix one security issue are now available for Red Hat OpenShift Enterprise 2.1. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566) All OpenShift Enterprise users are advised to upgrade to these updated packages, which correct this issue.
Scan For This Vulnerability
Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities
References
- APPLE-APPLE-SA-2014-10-16-1
- APPLE-APPLE-SA-2014-10-16-3
- APPLE-APPLE-SA-2014-10-16-4
- APPLE-APPLE-SA-2014-10-20-1
- APPLE-APPLE-SA-2014-10-20-2
- APPLE-APPLE-SA-2015-01-27-4
- BID-70574
- CERT-TA14-290A
- CERT-VN-577193
- CVE-2014-3566
- DEBIAN-DSA-3053
- DEBIAN-DSA-3144
- DEBIAN-DSA-3147
- DEBIAN-DSA-3253
- NETBSD-NetBSD-SA2014-015
- REDHAT-RHSA-2014:1652
- REDHAT-RHSA-2014:1653
- REDHAT-RHSA-2014:1692
- REDHAT-RHSA-2014:1876
- REDHAT-RHSA-2014:1877
- REDHAT-RHSA-2014:1880
- REDHAT-RHSA-2014:1881
- REDHAT-RHSA-2014:1882
- REDHAT-RHSA-2014:1920
- REDHAT-RHSA-2014:1948
- REDHAT-RHSA-2015:0068
- REDHAT-RHSA-2015:0079
- REDHAT-RHSA-2015:0080
- REDHAT-RHSA-2015:0085
- REDHAT-RHSA-2015:0086
- REDHAT-RHSA-2015:0264
- REDHAT-RHSA-2015:0698
- REDHAT-RHSA-2015:1545
- REDHAT-RHSA-2015:1546
Solution
redhat-upgrade-openshift-origin-node-proxyRelated Vulnerabilities
- Palo Alto Networks PAN-SA-2014-0005 (CVE-2014-3566): SSL 3.0 MITM Attack
- SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
- OS X security update 2015-001 for AFP Server (CVE-2014-3566)
- Oracle Solaris 11: CVE-2014-3566: Vulnerability in Multiple Components
- Juniper Junos OS: 2014-10 Out of Cycle Security Bulletin: Multiple products affected by SSL "POODLE" vulnerability (JSA10656) (CVE-2014-3566)
- IBM WebSphere Application Server: CVE-2014-3566: IBM Potential Security Vulnerabilities fixed in IBM WebSphere Application Server
- OS X update for OpenSSL (CVE-2014-3566)
- RHSA-2015:0067: java-1.7.0-openjdk security update
- Amazon Linux AMI: Security patch for nss (ALAS-2014-429) (CVE-2014-3566)
- HP-UX: CVE-2014-3566: Running OpenSSL, Remote Denial of Service (DoS), Unauthorized Access, Man-in-the-Middle (MitM) Attack
- ELSA-2014-1653 Moderate: Oracle Linux openssl security update
- Cisco IOS: CVE-2014-3566: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
- Amazon Linux AMI: Security patch for java-1.6.0-openjdk (ALAS-2015-480) (multiple CVEs)
- ELSA-2015-0067 Critical: Oracle Linux java-1.7.0-openjdk security update
- IBM HTTP Server: CVE-2014-3566: IBM HTTP Server should disable weak SSL protocols and ciphers by default
- USN-2486-1: OpenJDK 6 vulnerabilities
- OpenSSL SSL 3.0 Fallback protection (CVE-2014-3566)
- RHSA-2014:1882: java-1.7.0-ibm security update
- RHSA-2015:0080: java-1.8.0-oracle security update
- ELSA-2015-0069 Important: Oracle Linux java-1.8.0-openjdk security update
- DSA-3147-1 openjdk-6 -- security update
- HP Systems Insight Manager - HPSBMU03261 (CVE-2014-3566): OpenSSL on Linux and Windows, Remote Disclosure of Information
- Debian: CVE-2014-3566: lighttpd -- security update
- RHSA-2014:1881: java-1.5.0-ibm security update
- F5 Networks: K15702 (CVE-2014-3566): SSLv3 vulnerability CVE-2014-3566
- Sun Patch: Indexing and Search Service 1u5-29.15600: core patch
- TLS/SSL Server Supports SSLv3
- RHSA-2015:0086: java-1.6.0-sun security update
- Amazon Linux AMI: Security patch for java-1.8.0-openjdk (ALAS-2015-472) (multiple CVEs)
- Sun Patch: SunOS 5.10: wanboot patch
- ELSA-2015-0085 Important: Oracle Linux java-1.6.0-openjdk security update
- RHSA-2015:0079: java-1.7.0-oracle security update
- Cent OS: CVE-2014-3566: CESA-2015:0085 (java-1.6.0-openjdk)
- FreeBSD: davmail -- fix potential CVE-2014-3566 vulnerability (POODLE) (CVE-2014-3566)
- DSA-3144-1 openjdk-7 -- security update
- RHSA-2015:0068: java-1.7.0-openjdk security update
- Sun Patch: SunOS 5.10_x86: openssl patch
- ELSA-2015-0068 Important: Oracle Linux java-1.7.0-openjdk security update
- HP System Management Homepage - HPSBMU03260 (CVE-2014-3566): OpenSSL on Linux and Windows, Remote Disclosure of Information
- Cisco NX-OS: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability (Multiple CVEs)
- RHSA-2015:0085: java-1.6.0-openjdk security update
- FreeBSD: (Multiple Advisories) (CVE-2014-3566): lynx -- multiple vulnerabilities
- ELSA-2014-1652 Important: Oracle Linux openssl security update
- Sun Patch: VM Server for SPARC 3.1: ldmd patch
- Cisco SAN-OS: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability (CVE-2014-3566)
- IBM AIX: java_feb2015_advisory, java_oct2014_advisory, nettcp_advisory, openssl_advisory11 (CVE-2014-3566): Vulnerability in IBM Java SDK affects AIX
- RHSA-2014:1877: java-1.6.0-ibm security update
- RHSA-2014:1880: java-1.7.1-ibm security update
- Gentoo Linux: CVE-2014-3566: Asterisk: Multiple Vulnerabilities
- Java CPU January 2015 Java SE, Java SE Embedded, JRockit JSSE vulnerability (CVE-2014-3566)
- Amazon Linux AMI: Security patch for java-1.7.0-openjdk (ALAS-2015-471) (multiple CVEs)
- DSA-3053-1 openssl -- security update
- DSA-3253-1 pound -- security update
- FreeBSD: asterisk -- Asterisk Susceptibility to POODLE Vulnerability (CVE-2014-3566)
- RHSA-2015:0264: Red Hat Satellite IBM Java Runtime security update
- OS X update for Secure Transport (CVE-2014-3566)
- HP iLO: CVE-2014-3566: Remote disclosure of information
- RHSA-2014:1876: java-1.7.0-ibm security update
- Amazon Linux AMI: Security patch for openssl (ALAS-2014-426) (CVE-2014-3566)
- Sun Patch: Indexing and Search Service 1u5-29.15600_x86: core patch
- RHSA-2015:0069: java-1.8.0-openjdk security update
- SUSE: CVE-2014-3566: SUSE Linux Security Advisory
- Sun Patch: SunOS 5.10: openssl patch
- Oracle Linux: CVE-2014-3566: ELSA-2016-3558 - openssl security update
- TLS/SSL Server is enabling the POODLE attack
- FreeBSD: OpenSSL -- multiple vulnerabilities (FreeBSD-SA-14:23.openssl) (Multiple CVEs)
- Oracle Database: Critical Patch Update - July 2017 (CVE-2014-3566)
- USN-2487-1: OpenJDK 7 vulnerabilities