Lucene search

K
qualysblogYash SannegowdaQUALYSBLOG:78FF70CE4BB196D19E90B71797AD8A5A
HistoryApr 22, 2019 - 8:40 a.m.

Zombie POODLE and GOLDENDOODLE Vulnerabilities

2019-04-2208:40:40
Yash Sannegowda
blog.qualys.com
2006

EPSS

0.01

Percentile

83.8%

Recently new vulnerabilities like Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL and Sleeping POODLE were published for websites that use CBC (Cipher Block Chaining) block cipher modes. These vulnerabilities are applicable only if the server uses TLS 1.2 or TLS 1.1 or TLS 1.0 with CBC cipher modes.

SSL Labs identifies cipher suites using CBC with orange color and with text WEAK. This change wonโ€™t have any effect on the grades, as it only means that SSL Labs discourages the use of CBC-based cipher suites further.

SSL Labs will start giving โ€œFโ€ grade to the server affected by these vulnerabilities from end of May 2019. For now, SSL Labs will give only a warning for affected servers:

  • Zombie POODLE (Invalid padding with valid MAC)
  • GOLDENDOODLE (Valid padding with an invalid MAC)
  • 0-Length OpenSSL (Invalid Mac/Valid Pad, 0-length record)
  • Sleeping POODLE (invalid padding with valid MAC)

SSLLabs UI Changes

Limitation in SSL Labs Detections

  • These tests are specific to protocol/cipher suite, SSL Labs only checks with preferred Protocol and CBC Cipher suite. There is a probability that the server could be vulnerable with other set of protocol/cipher suite.
  • SSL Labs only checks with a limited set of CBC cipher suite

More Information

Update April 26, 2019: The warning is live on <https://dev.ssllabs.com/&gt; and <https://www.ssllabs.com/&gt;. As stated above, the grade change will be live by the end of May.