Lucene search

K

Oracle Linux 5 : openssl (ELSA-2014-1653) (POODLE)

Oracle Linux 5 : openssl (ELSA-2014-1653) (POODLE) Updated packages for SSL/TLS protocol with CVE-2014-3566 patch

Show more
Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: Vulnerability in SSLv3 affects IBM InfoSphere Optim Configuration Manager (CVE-2014-3566)
16 Jun 201813:08
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in SSLv3 affects WebSphere eXtreme Scale and WebSphere eXtreme Scale for z/OS versions 7.0, 7.1.0, 7.1.1, 8.5, and 8.6. (CVE-2014-3566)
15 Jun 201807:01
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in SSLv3 affects WebSphere included with Tivoli Access Manager for e-business and Security Access Manager for Web (CVE-2014-3566)
16 Jun 201821:20
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in SSLv3 affects IBM Content Navigator (CVE-2014-3566)
17 Jun 201812:09
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in SSLv3 affects Warehouse Administration Console and Cubing Services components of IBM InfoSphere Warehouse and IBM DB2 for Linux, Unix and Windows (CVE-2014-3566)
16 Jun 201813:07
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in SSLv3 affects IBM Data Studio client (CVE-2014-3566)
16 Jun 201813:08
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in SSLv3 affects IBM MQ Light (CVE-2014-3566)
15 Jun 201807:02
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in SSLv3 affects GPFS V3.5 for Windows (CVE-2014-3566)
25 Jun 202116:46
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in SSLv3 affects Multiple N series products (CVE-2014-3566)
15 Dec 202118:05
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability in SSLv3 affects IBM QRadar SIEM. (CVE-2014-3566)
23 Feb 202217:02
ibm
Rows per page
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2014:1653 and 
# Oracle Linux Security Advisory ELSA-2014-1653 respectively.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(78530);
  script_version("1.24");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/06/23");

  script_cve_id("CVE-2014-3566");
  script_bugtraq_id(
    67899,
    67901,
    69075,
    69076,
    69081,
    69082,
    70574
  );
  script_xref(name:"RHSA", value:"2014:1653");

  script_name(english:"Oracle Linux 5 : openssl (ELSA-2014-1653) (POODLE)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"From Red Hat Security Advisory 2014:1653 :

Updated openssl packages that contain a backported patch to mitigate
the CVE-2014-3566 issue are now available for Red Hat Enterprise Linux
5.

Red Hat Product Security has rated this update as having Moderate
security impact.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose
cryptography library.

This update adds support for the TLS Fallback Signaling Cipher Suite
Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol
downgrade attacks against applications which re-connect using a lower
SSL/TLS protocol version when the initial connection indicating the
highest supported protocol version fails.

This can prevent a forceful downgrade of the communication to SSL 3.0.
The SSL 3.0 protocol was found to be vulnerable to the padding oracle
attack when using block cipher suites in cipher block chaining (CBC)
mode. This issue is identified as CVE-2014-3566, and also known under
the alias POODLE. This SSL 3.0 protocol flaw will not be addressed in
a future update; it is recommended that users configure their
applications to require at least TLS protocol version 1.0 for secure
communication.

For additional information about this flaw, see the Knowledgebase
article at https://access.redhat.com/articles/1232123

All OpenSSL users are advised to upgrade to these updated packages,
which contain a backported patch to mitigate the CVE-2014-3566 issue.
For the update to take effect, all services linked to the OpenSSL
library (such as httpd and other SSL-enabled services) must be
restarted or the system rebooted.");
  script_set_attribute(attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2014-October/004532.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected openssl packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-3566");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/10/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssl-perl");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2014-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);

flag = 0;
if (rpm_check(release:"EL5", reference:"openssl-0.9.8e-31.el5_11")) flag++;
if (rpm_check(release:"EL5", reference:"openssl-devel-0.9.8e-31.el5_11")) flag++;
if (rpm_check(release:"EL5", reference:"openssl-perl-0.9.8e-31.el5_11")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssl / openssl-devel / openssl-perl");
}

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo