The purpose of this document is to provide information regarding the "Poodle" vulnerability CVE-2014-3566. This information formerly was provided in MOS note 1935500.1 but is now included here.
This vulnerability affects all products that include products compliant with SSL version 3.0.
A security vulnerability affecting SSL v3.0 was recently publicly disclosed (Padding Oracle On Downgraded Legacy Encryption, or “Poodle”). This security vulnerability is the result of a design flaw in SSL v3.0. Note that this vulnerability does not affect TLS and is limited to SSL 3.0, which is widely considered as an obsolete protocol. This vulnerability has received the identifier CVE-2014-3566.
The disclosure of this vulnerability should encourage organizations to deprecate the use of SSL 3.0 as soon as possible. A number of security organizations have recommended SSL v3.0 be abandoned in favor of TLS. For example, the OWASP guidelines (https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet) state:
Disable SSL 3.0 in all Oracle products that support this protocol. This note will be updated with product-specific instructions for disabling SSL 3.0. Note that a number of Oracle products do not support SSL 3.0, and no further action will be required for these products.
Please note that a POODLE-related vulnerability was recently reported as affecting older TLS libraries (e.g. CVE-2014-8730). This TLS vulnerability exists if TLS 1.0 or TLS 1.1 was implemented in these libraries using the SSL V3.0 decoding algorithm rather than the updated TLS algorithm. At this time, Oracle is not aware of any third party code in Oracle programs available for distribution being affected by this issue. Oracle believes that none of the affected TLS libraries were included in any of these Oracle programs.
Global Product Security has determined that the following 130 Oracle products include SSL V3.0 versions in their distributions which have been reported as vulnerable to CVE-2014-3566. Oracle has issued fixes for these products per the table below. Refer to the individual Patch Availability Documents for information regarding the specific CVEs addressed.
Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.
|
|
---|---|
Affected Products | Patch Availability |
Application Performance Management [Product ID 9572] | MOS note 1940329.1 |
Brocade (McData) Fiber Channel Switches and Manage [Product ID 9864] | MOS note 1983989.1 |
Endeca Guided Search / Endeca Experience Manager [Product ID 9633] | MOS note 1940739.1 |
Enterprise Manager Base Platform [Product ID 1370] | MOS note 1938799.1 |
Exadata Storage Server [Product ID 2546] | MOS note 1935817.1 |
Exalogic [Product ID 9415] | MOS note 1963818.1 |
Glassfish Server [Product ID 8493] | MOS note 1947484.1 |
Hyperion Essbase [Product ID 4379] | MOS note 2204625.1 |
Integrated Lights Out Manager (ILOM) (in SPARC M6-32, M5-32, T5, T4, T3, T2+ and T2 Based Systems, Sun Blade 6000 Modular Systems, Intel Xeon Based Servers and InfiniBand Switches and Opus Switches) [Product ID 9849] | MOS note 1935986.1 |
Java ME - JSRs and Options [Product ID 9322] | MOS note 1938074.1 |
Java ME [Product ID 9327 ] | MOS note 1938074.1 |
Java SE [Product ID 856] | http://www.oracle.com/java/technologies/javase/instructions-to-mitigate-the-ssl-v30-vulnerability.html |
Micros Retail CWSSerenade [Product ID 10787] | MOS note 1937712.1 |
Micros Retail Locate [Product ID 10787] | MOS note 1937701.1 |
OC4J [Product ID 1270] | MOS note 1936300.1 |
Oracle API Gateway 11.1.1 and 11.1.2 [Product ID 9195 ] | MOS note 1943916.1 |
Oracle Application Testing Suite [Product ID 4622] | MOS note 1942388.1 |
Oracle Audit Vault and Database Firewall [Product ID 9749] | MOS note 2114142.1 |
Oracle Big Data Appliance [Product ID 9734 ] | MOS note 1940509.1 |
Oracle Business Intelligence Data Warehouse Administration Console [Product ID 8484] | MOS note 1985975.1 |
Oracle Business Intelligence Enterprise Edition [Product ID 2025 ] | MOS note 2084707.1 |
Oracle CloudNet Gateway Cloud Service [Product ID 11158] | MOS note 1942665.1 |
Oracle Coherence [Product ID 2545] | MOS note 1965582.1 |
Oracle Communications Application Orchestrator 1.0 [Product ID 11189] | MOS note 1940117.1 |
Oracle Communications Application Session Controller [Product ID 10769] | MOS note 1949958.1 |
Oracle Communications Border Gateway [Product ID 10751] | MOS note 1941429.1 |
Oracle Communications Calendar Server [Product ID 8494] | MOS note 1935643.1 |
Oracle Communications Convergence [Product ID 8501] | MOS note 1935643.1 |
Oracle Communications Delegated Administrator [Product ID 8505] | MOS note 1935643.1 |
Oracle Communications Diameter Intelligence Hub [Product ID 11126] | MOS note 1946120.1 |
Oracle Communications Diameter Signaling Router (DSR) [Product ID 10899] | MOS note 1946120.1 |
Oracle Communications EAGLE Application Processor [Product ID 11122] | MOS note 1945734.1 |
Oracle Communications Enterprise Trunk Manager [Product ID 10760] | MOS note 1940117.1 |
Oracle Communications Indexing and Search Service [Product ID 8503] | MOS note 1935643.1 |
Oracle Communications Instant Messaging Server [Product ID 8495] | MOS note 1935643.1 |
Oracle Communications Interactive Session Recorder [Product ID 10765] | MOS note 1939313.1 |
Oracle Communications Internet Name and Address Management [Product ID 2262] | MOS note 1988370.1 |
Oracle Communications Messaging Server [Product ID 8496] | MOS note 1935643.1 |
Oracle Communications Network Charging and Control [Product ID 4623] | MOS note 1942857.1 |
Oracle Communications Objectel [Product ID 2264] | MOS note 1941921.1 |
Oracle Communications Performance Intelligence Center Software [Product ID 11044] | MOS note 1945885.1 |
Oracle Communications Policy Management [Product ID 10900] | MOS note 1946122.1 |
Oracle Communications Security Gateway [Product ID 10755 ] | MOS note 1941429.1 |
Oracle Communications Service Broker Engineered System [Product ID 9056] | MOS note 1955337.1 |
Oracle Communications Session Border Controller [Product ID 10750 ] | MOS note 1941429.1 |
Oracle Communications Session Element Manager [Product ID 11052] | MOS note 1940117.1 |
Oracle Communications Session Monitor [Product ID 10761] | MOS note 1966174.1 |
Oracle Communications Session Report Manager [Product ID 10770] | MOS note 1940117.1 |
Oracle Communications Session Route Manager [Product ID 10771] | MOS note 1940117.1 |
Oracle Communications Session Router [Product ID 10752 ] | MOS note 1941429.1 |
Oracle Communications Subscriber Data Management [Product ID 10901] | MOS note 1946123.1 |
Oracle Communications Tunneled Session Controller [Product ID 10759] | MOS note 1941429.1 |
Oracle Communications Unified Session Manager [Product ID 10753 ] | MOS note 1941429.1 |
Oracle Communications WebRTC Session Controller [Product ID 10811] | MOS note 1950427.1 |
Oracle Database [Product ID 5] | MOS note 1938502.1 |
Oracle Database Appliance Software [Product ID 9435] | MOS note 888888.1 |
Oracle Daybreak [Product ID 9496 ] | MOS note 1994990.1 |
Oracle Directory Server Enterprise Edition [Product ID 8512] | MOS note 1950334.1 |
Oracle E-Business Suite (All products in this suite) [Product ID 1745] | MOS note 1937646.1 |
Oracle Endeca Information Discovery Studio [Product ID 9634 ] | MOS note 1942667.1 |
Oracle Endeca Server [Product ID 10217] | MOS note 1991857.1 |
Oracle Enterprise Communications Broker [Product ID 10758] | MOS note 1942201.1 |
Oracle Enterprise Manager Database Control [Product ID 1366] | MOS note 1946195.1 |
Oracle Enterprise Manager OPScenter [Product ID 9835] | MOS note 1938218.1 |
Oracle Enterprise Session Border Controller [Product ID 10757] | MOS note 1942201.1 |
Oracle Exchange Marketplace [Product ID 930] | MOS note 1937220.1 |
Oracle Explorer [Product ID 1330] | MOS note 1938264.1 |
Oracle Fabric Interconnect F1-15 [Product ID 10529] | MOS note 1964083.1 |
Oracle Fusion Middleware [Product ID 1032] | MOS note 1936300.1 |
Oracle Health Sciences Empirica Inspections [Product ID 10381] | MOS note 1942695.1 |
Oracle Health Sciences Empirica Signal [Product ID 9646] | MOS note 1942695.1 |
Oracle Health Sciences Empirica Study [Product ID 9647] | MOS note 1942695.1 |
Oracle Healthcare Transaction Base [Product ID 1122] | MOS note 1940643.1 |
Oracle HTTP Server [Product ID 1042] | MOS note 1936300.1 |
Oracle Identity Manager [Product ID 1980] | MOS note 1944350.1 |
Oracle Internet Directory [Product ID 355] | MOS note 2063217.1 |
Oracle iPlanet Web Proxy Server [Product ID 8542] | MOS note 1936106.1 |
Oracle iPlanet Web Server [Product ID 8543] | MOS note 1936106.1 |
Oracle JDeveloper [Product ID 807] | MOS note 1968245.1 |
Oracle Key Vault version 12.1.0.2.0 and earlier [Product ID 10221] | MOS note 2114112.1 |
Oracle Life Sciences Data Hub 2.1.4 [Product ID 1710] | MOS note 1940643.1 |
Oracle Linux [Product ID 1309] | MOS note 1940202.1 |
Oracle Mobile Security Suite [Product ID 10913] | MOS note 1941584.1 |
Oracle Net Services [Product ID 115] | MOS note 1938502.1 |
Oracle Real-Time Scheduler V1 [Product ID 2238] | MOS note 1983978.1 |
Oracle Reports Developer [Product ID 159] | MOS note 1969706.1 |
Oracle Secure Backup [Product ID 1522] | MOS note 1941857.1 |
Oracle Secure Global Desktop [Product ID 8539] | MOS note 1941556.1 |
Oracle Service Architecture Leveraging Tuxedo (SALT) [Product ID 5435] | MOS note 1964604.1 |
Oracle Solaris Cluster [Product ID 10005] | MOS note 1999997.1 |
Oracle SuperCluster [Product ID 10011] | MOS note 1953731.1 |
Oracle Switch ES1-24 [Product ID 9889] | MOS note 1935986.1 |
Oracle Traffic Director [Product ID 9276] | MOS note 1938044.1 |
Oracle Transportation Management [Product ID 1991] | MOS note 1938312.1 |
Oracle Unified Directory [Product ID 9118] | MOS note 1950331.1 |
Oracle Utilities Mobile Workforce Management [Product ID 2239] | MOS note 1983978.1 |
Oracle Virtual Compute Appliance Software [Product ID 10635] | MOS note 1944721.1 |
Oracle Virtual Desktop Infrastructure [Product ID 8540] | MOS note 1998868.1 |
Oracle Virtual Directory [Product ID 1978] | MOS note 1950332.1 |
Oracle VM [Product ID 4455] | MOS note 1940203.1 |
Oracle VM VirtualBox [Product ID 8370] | MOS note 1962878.1 |
Oracle Web Cache [Product ID 1059] | MOS note 1938509.1 |
Oracle WebLogic Server [Product ID 5242] | MOS note 1936300.1 |
PeopleSoft Enterprise PT PeopleTools [Product ID 5085] | MOS note 1969483.1 |
Primavera P6 Professional Project Management [Product ID 5085 ] | MOS note 1950465.1 |
SAM-QFS [Product ID 10021 ] | MOS note 1959855.1 |
Siebel CRM [Product ID 2295] | MOS note 1944467.1 |
Solaris [Product ID 10006] | MOS note 1935621.1 |
SPARC - OPL and PAPL Service Processor (XCP) [Product ID 9845, 10656] | MOS note 1956176.1 |
StorageTek SL150 Modular Tape Library [Product ID 9537] | MOS note 1951634.1 |
StorageTek T10000A Tape Drive [Product ID 10077] | MOS note 1952054.1 |
StorageTek T10000B Tape Drive [Product ID 10078] | MOS note 1952054.1 |
StorageTek T10000C Tape Drive [Product ID 10079] | MOS note 1937698.1 |
StorageTek T10000D Tape Drive [Product ID 10080] | MOS note 1937698.1 |
StorageTek Tape Analytics [Product ID 10085] | MOS note 2169527.1 |
Sun Blade 6000 Ethernet Switched NEM 24P 10GE [Product ID 9889 ] | MOS note 1935986.1 |
Sun Data Center InfiniBand Switch 36 (NM2-36P) [Product ID 9886 ] | MOS note 1935986.1 |
Sun Java Composite Application Platform Suites (CAPS) [Product ID 8528] | MOS note 2009599.1 |
Sun Network 10GE Switch 72p [Product ID 9889] | MOS note 1935986.1 |
Sun Network QDR InfiniBand Gateway Switch (NM2-GW) [Product ID 9885 ] | MOS note 1935986.1 |
Sun Ray Operating Software (SROS) [Product ID 9211 ] | MOS note 1998871.1 |
Sun Ray Software [Product ID 8242] | MOS note 1998846.1 |
Sun ZFS Storage Appliance Kit (AK) [Product ID 10026] | MOS note 1935621.1 |
Tape Library ACSLS [Product ID 10088] | MOS note 1950430.1 |
Tape Library SL150 [Product ID 10099] | MOS note 1951634.1 |
Tape OEM Library SL08 [Product ID 10106] | MOS note 1940196.1 |
Tape OEM Library SL24 [Product ID 10106] | MOS note 1940196.1 |
Tape OEM Library SL48 [Product ID 10107] | MOS note 1940196.1 |
Tape Virtual VSM - Virtual Tape SubSystem [Product ID 10117] | MOS note 1950826.1 |
Tekelec HLR Router [Product ID 11047] | MOS note 1946128.1 |
Global Product Security has discovered no products at this time which include SSL V3.0 in at least one version of the product and that do not yet have fixes available.
Global Product Security has determined that the following 55 Oracle products do not include SSL V3.0 in their initial distribution (i.e., “out of the box”) and should therefore not be subject to CVE-2014-3566. No further action is therefore expected for these products:
Global Product Security is not investigating any additional products for inclusion of SSL V3.0 to determine if they might be subject to CVE-2014-3566.
Global Product Security has determined that the following 19 products are including SSL V3.0 in their distributions but that none of these are subject to CVE-2014-3566. No further action is therefore expected for these products:
Oracle is assessing the use of SSL v3.0 across its corporate systems and those managed on behalf of Oracle customers (e.g., Oracle Cloud). Oracle is actively deprecating the use of this protocol. In instances where Oracle identifies a possible impact to cloud customers, Oracle will work with the affected customers to determine the best course of action. Oracle recommends that cloud customers investigate their use of SSL v3.0 and discontinue to the extent possible the use of this protocol.
For more information: