Search the VMware Knowledge Base (KB)
View by Article ID

VMware Products and CVE-2014-3566 (POODLE) (2092133)

  • 230 Ratings

Purpose

Researchers recently published a paper on a padding oracle attack against CBC-mode ciphers in SSLv3. This is reported as CVE-2014-3566 also known as the "POODLE" (Padding Oracle On Downgraded Legacy Encryption) vulnerability. 

This article provides guidance to mitigate this issue.

This issue is similar to the BEAST (Browser Exploit Against SSL/TLS) issue discussed in Mitigation of CVE-2011-3389 (BEAST) for web server administrators (2008784).

Cause

This vulnerability has many facets and details are available in the external links provided in the Additional Information section.

Notes:

  • It is technically an attack against the browser, not the server. The most likely goal of an attack is to retrieve an encrypted session cookie in order to hijack a user's session.

  • It involves man-in-the-middle (MITM) network access in conjunction with a certain amount of control over the user's browser to have it make repeated requests with content under the attacker's control and also heavy real-time computing power.

Resolution

To mitigate this issue, disable SSL v3 in your browser. Please review or contact the browser vendor for documentation on how to disable SSL v3.

Notes:

  • Current VMware products support TLS and, therefore, continue to function when SSL v3 is disabled in the browser.
  • Browser (and component) makers are recommending the use of SSL v3 be discontinued.
  • Communication between VMware products is not affected because this communication is between end-points and no browser is involved.
  • VMware is planning to phase out the support of SSL v3 in its products during future maintenance releases.

Additional Information

This vulnerability was discovered and reported publicly by security researchers. For more information, visit the vulnerability report and related links there.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 230 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 230 Ratings
Actions
KB: