logo
DATABASE RESOURCES PRICING ABOUT US

[oss-security] CVE question: Return of POODLE

Description

Hi All, Before i ask my question: It seems some TLS implementations may be vulnerable to POODLE like attack if they use SSL 3.0 type padding and the padding bytes are not checked by the implementation. https://www.imperialviolet.org/2014/12/08/poodleagain.html https://devcentral.f5.com/articles/cve-2014-8730-padding-issue-8151 CVE-2014-8730 was assigned to this issue (by MITRE i suppose) and its not clear if this CVE has been assigned to their code or to the protocol weakness. I have not checked if any implementations are vulnerable, but could MITRE please confirm if its ok to reuse this CVE if any crypto-libs are found vulnerable, or if they plan to assign another CVE id? -- Huzaifa Sidhpurwala / Red Hat Product Security Team


Related