SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566


PURPOSE


The purpose of this document is to provide information regarding the "Poodle" vulnerability CVE-2014-3566. This information formerly was provided in MOS note 1935500.1 but is now included here.

SCOPE


This vulnerability affects all products that include products compliant with SSL version 3.0.

DETAILS


A security vulnerability affecting SSL v3.0 was recently publicly disclosed (Padding Oracle On Downgraded Legacy Encryption, or “Poodle”). This security vulnerability is the result of a design flaw in SSL v3.0. Note that this vulnerability does not affect TLS and is limited to SSL 3.0, which is widely considered as an obsolete protocol. This vulnerability has received the identifier CVE-2014-3566.

The disclosure of this vulnerability should encourage organizations to deprecate the use of SSL 3.0 as soon as possible. A number of security organizations have recommended SSL v3.0 be abandoned in favor of TLS. For example, the OWASP guidelines (https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet) state:

  • "Do not support SSL 3.0: There is rarely a need to support SSLv3, as long as you do not need to support IE6/XP [1] and older. SSLv3 has known weaknesses[2] which severely compromise the channel's security. In situations where lesser security requirements are necessary, it may be acceptable to also provide support for SSLv3. It should be used only after risk analysis and acceptance."

ACTION


Disable SSL 3.0 in all Oracle products that support this protocol. This note will be updated with product-specific instructions for disabling SSL 3.0. Note that a number of Oracle products do not support SSL 3.0, and no further action will be required for these products.


NOTE


Please note that a POODLE-related vulnerability was recently reported as affecting older TLS libraries (e.g. CVE-2014-8730). This TLS vulnerability exists if TLS 1.0 or TLS 1.1 was implemented in these libraries using the SSL V3.0 decoding algorithm rather than the updated TLS algorithm. At this time, Oracle is not aware of any third party code in Oracle programs available for distribution being affected by this issue. Oracle believes that none of the affected TLS libraries were included in any of these Oracle programs.


Below is the list of affected products and mitigation instructions as of November 30, 2016 at 05:56 PM Pacific.


1.0 Oracle products that are likely vulnerable to CVE-2014-3566 and have fixes currently available

Global Product Security has determined that the following 130 Oracle products include SSL V3.0 versions in their distributions which have been reported as vulnerable to CVE-2014-3566. Oracle has issued fixes for these products per the table below. Refer to the individual Patch Availability Documents for information regarding the specific CVEs addressed.

Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.


Patch Availability Table
Affected Products Patch Availability
Application Performance Management [Product ID 9572] MOS note 1940329.1
Brocade (McData) Fiber Channel Switches and Manage [Product ID 9864] MOS note 1983989.1
Endeca Guided Search / Endeca Experience Manager [Product ID 9633] MOS note 1940739.1
Enterprise Manager Base Platform [Product ID 1370] MOS note 1938799.1
Exadata Storage Server [Product ID 2546] MOS note 1935817.1
Exalogic [Product ID 9415] MOS note 1963818.1
Glassfish Server [Product ID 8493] MOS note 1947484.1
Hyperion Essbase [Product ID 4379] MOS note 2204625.1
Integrated Lights Out Manager (ILOM) (in SPARC M6-32, M5-32, T5, T4, T3, T2+ and T2 Based Systems, Sun Blade 6000 Modular Systems, Intel Xeon Based Servers and InfiniBand Switches and Opus Switches) [Product ID 9849] MOS note 1935986.1
Java ME - JSRs and Options [Product ID 9322] MOS note 1938074.1
Java ME [Product ID 9327 ] MOS note 1938074.1
Java SE [Product ID 856] http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
Micros Retail CWSSerenade [Product ID 10787] MOS note 1937712.1
Micros Retail Locate [Product ID 10787] MOS note 1937701.1
OC4J [Product ID 1270] MOS note 1936300.1
Oracle API Gateway 11.1.1 and 11.1.2 [Product ID 9195 ] MOS note 1943916.1
Oracle Application Testing Suite [Product ID 4622] MOS note 1942388.1
Oracle Audit Vault and Database Firewall [Product ID 9749] MOS note 2114142.1
Oracle Big Data Appliance [Product ID 9734 ] MOS note 1940509.1
Oracle Business Intelligence Data Warehouse Administration Console [Product ID 8484] MOS note 1985975.1
Oracle Business Intelligence Enterprise Edition [Product ID 2025 ] MOS note 2084707.1
Oracle CloudNet Gateway Cloud Service [Product ID 11158] MOS note 1942665.1
Oracle Coherence [Product ID 2545] MOS note 1965582.1
Oracle Communications Application Orchestrator 1.0 [Product ID 11189] MOS note 1940117.1
Oracle Communications Application Session Controller [Product ID 10769] MOS note 1949958.1
Oracle Communications Border Gateway [Product ID 10751] MOS note 1941429.1
Oracle Communications Calendar Server [Product ID 8494] MOS note 1935643.1
Oracle Communications Convergence [Product ID 8501] MOS note 1935643.1
Oracle Communications Delegated Administrator [Product ID 8505] MOS note 1935643.1
Oracle Communications Diameter Intelligence Hub [Product ID 11126] MOS note 1946120.1
Oracle Communications Diameter Signaling Router (DSR) [Product ID 10899] MOS note 1946120.1
Oracle Communications EAGLE Application Processor [Product ID 11122] MOS note 1945734.1
Oracle Communications Enterprise Trunk Manager [Product ID 10760] MOS note 1940117.1
Oracle Communications Indexing and Search Service [Product ID 8503] MOS note 1935643.1
Oracle Communications Instant Messaging Server [Product ID 8495] MOS note 1935643.1
Oracle Communications Interactive Session Recorder [Product ID 10765] MOS note 1939313.1
Oracle Communications Internet Name and Address Management [Product ID 2262] MOS note 1988370.1
Oracle Communications Messaging Server [Product ID 8496] MOS note 1935643.1
Oracle Communications Network Charging and Control [Product ID 4623] MOS note 1942857.1
Oracle Communications Objectel [Product ID 2264] MOS note 1941921.1
Oracle Communications Performance Intelligence Center Software [Product ID 11044] MOS note 1945885.1
Oracle Communications Policy Management [Product ID 10900] MOS note 1946122.1
Oracle Communications Security Gateway [Product ID 10755 ] MOS note 1941429.1
Oracle Communications Service Broker Engineered System [Product ID 9056] MOS note 1955337.1
Oracle Communications Session Border Controller [Product ID 10750 ] MOS note 1941429.1
Oracle Communications Session Element Manager [Product ID 11052] MOS note 1940117.1
Oracle Communications Session Monitor [Product ID 10761] MOS note 1966174.1
Oracle Communications Session Report Manager [Product ID 10770] MOS note 1940117.1
Oracle Communications Session Route Manager [Product ID 10771] MOS note 1940117.1
Oracle Communications Session Router [Product ID 10752 ] MOS note 1941429.1
Oracle Communications Subscriber Data Management [Product ID 10901] MOS note 1946123.1
Oracle Communications Tunneled Session Controller [Product ID 10759] MOS note 1941429.1
Oracle Communications Unified Session Manager [Product ID 10753 ] MOS note 1941429.1
Oracle Communications WebRTC Session Controller [Product ID 10811] MOS note 1950427.1
Oracle Database [Product ID 5] MOS note 1938502.1
Oracle Database Appliance Software [Product ID 9435] MOS note 888888.1
Oracle Daybreak [Product ID 9496 ] MOS note 1994990.1
Oracle Directory Server Enterprise Edition [Product ID 8512] MOS note 1950334.1
Oracle E-Business Suite (All products in this suite) [Product ID 1745] MOS note 1937646.1
Oracle Endeca Information Discovery Studio [Product ID 9634 ] MOS note 1942667.1
Oracle Endeca Server [Product ID 10217] MOS note 1991857.1
Oracle Enterprise Communications Broker [Product ID 10758] MOS note 1942201.1
Oracle Enterprise Manager Database Control [Product ID 1366] MOS note 1946195.1
Oracle Enterprise Manager OPScenter [Product ID 9835] MOS note 1938218.1
Oracle Enterprise Session Border Controller [Product ID 10757] MOS note 1942201.1
Oracle Exchange Marketplace [Product ID 930] MOS note 1937220.1
Oracle Explorer [Product ID 1330] MOS note 1938264.1
Oracle Fabric Interconnect F1-15 [Product ID 10529] MOS note 1964083.1
Oracle Fusion Middleware [Product ID 1032] MOS note 1936300.1
Oracle Health Sciences Empirica Inspections [Product ID 10381] MOS note 1942695.1
Oracle Health Sciences Empirica Signal [Product ID 9646] MOS note 1942695.1
Oracle Health Sciences Empirica Study [Product ID 9647] MOS note 1942695.1
Oracle Healthcare Transaction Base [Product ID 1122] MOS note 1940643.1
Oracle HTTP Server [Product ID 1042] MOS note 1936300.1
Oracle Identity Manager [Product ID 1980] MOS note 1944350.1
Oracle Internet Directory [Product ID 355] MOS note 2063217.1
Oracle iPlanet Web Proxy Server [Product ID 8542] MOS note 1936106.1
Oracle iPlanet Web Server [Product ID 8543] MOS note 1936106.1
Oracle JDeveloper [Product ID 807] MOS note 1968245.1
Oracle Key Vault version 12.1.0.2.0 and earlier [Product ID 10221] MOS note 2114112.1
Oracle Life Sciences Data Hub 2.1.4 [Product ID 1710] MOS note 1940643.1
Oracle Linux [Product ID 1309] MOS note 1940202.1
Oracle Mobile Security Suite [Product ID 10913] MOS note 1941584.1
Oracle Net Services [Product ID 115] MOS note 1938502.1
Oracle Real-Time Scheduler V1 [Product ID 2238] MOS note 1983978.1
Oracle Reports Developer [Product ID 159] MOS note 1969706.1
Oracle Secure Backup [Product ID 1522] MOS note 1941857.1
Oracle Secure Global Desktop [Product ID 8539] MOS note 1941556.1
Oracle Service Architecture Leveraging Tuxedo (SALT) [Product ID 5435] MOS note 1964604.1
Oracle Solaris Cluster [Product ID 10005] MOS note 1999997.1
Oracle SuperCluster [Product ID 10011] MOS note 1953731.1
Oracle Switch ES1-24 [Product ID 9889] MOS note 1935986.1
Oracle Traffic Director [Product ID 9276] MOS note 1938044.1
Oracle Transportation Management [Product ID 1991] MOS note 1938312.1
Oracle Unified Directory [Product ID 9118] MOS note 1950331.1
Oracle Utilities Mobile Workforce Management [Product ID 2239] MOS note 1983978.1
Oracle Virtual Compute Appliance Software [Product ID 10635] MOS note 1944721.1
Oracle Virtual Desktop Infrastructure [Product ID 8540] MOS note 1998868.1
Oracle Virtual Directory [Product ID 1978] MOS note 1950332.1
Oracle VM [Product ID 4455] MOS note 1940203.1
Oracle VM VirtualBox [Product ID 8370] MOS note 1962878.1
Oracle Web Cache [Product ID 1059] MOS note 1938509.1
Oracle WebLogic Server [Product ID 5242] MOS note 1936300.1
PeopleSoft Enterprise PT PeopleTools [Product ID 5085] MOS note 1969483.1
Primavera P6 Professional Project Management [Product ID 5085 ] MOS note 1950465.1
SAM-QFS [Product ID 10021 ] MOS note 1959855.1
Siebel CRM [Product ID 2295] MOS note 1944467.1
Solaris [Product ID 10006] MOS note 1935621.1
SPARC - OPL and PAPL Service Processor (XCP) [Product ID 9845, 10656] MOS note 1956176.1
StorageTek SL150 Modular Tape Library [Product ID 9537] MOS note 1951634.1
StorageTek T10000A Tape Drive [Product ID 10077] MOS note 1952054.1
StorageTek T10000B Tape Drive [Product ID 10078] MOS note 1952054.1
StorageTek T10000C Tape Drive [Product ID 10079] MOS note 1937698.1
StorageTek T10000D Tape Drive [Product ID 10080] MOS note 1937698.1
StorageTek Tape Analytics [Product ID 10085] MOS note 2169527.1
Sun Blade 6000 Ethernet Switched NEM 24P 10GE [Product ID 9889 ] MOS note 1935986.1
Sun Data Center InfiniBand Switch 36 (NM2-36P) [Product ID 9886 ] MOS note 1935986.1
Sun Java Composite Application Platform Suites (CAPS) [Product ID 8528] MOS note 2009599.1
Sun Network 10GE Switch 72p [Product ID 9889] MOS note 1935986.1
Sun Network QDR InfiniBand Gateway Switch (NM2-GW) [Product ID 9885 ] MOS note 1935986.1
Sun Ray Operating Software (SROS) [Product ID 9211 ] MOS note 1998871.1
Sun Ray Software [Product ID 8242] MOS note 1998846.1
Sun ZFS Storage Appliance Kit (AK) [Product ID 10026] MOS note 1935621.1
Tape Library ACSLS [Product ID 10088] MOS note 1950430.1
Tape Library SL150 [Product ID 10099] MOS note 1951634.1
Tape OEM Library SL08 [Product ID 10106] MOS note 1940196.1
Tape OEM Library SL24 [Product ID 10106] MOS note 1940196.1
Tape OEM Library SL48 [Product ID 10107] MOS note 1940196.1
Tape Virtual VSM - Virtual Tape SubSystem [Product ID 10117] MOS note 1950826.1
Tekelec HLR Router [Product ID 11047] MOS note 1946128.1

 

2.0 Oracle products that are likely vulnerable to CVE-2014-3566 but for which no fixes are yet available

Global Product Security has discovered no products at this time which include SSL V3.0 in at least one version of the product and that do not yet have fixes available.


3.0 Products That Do Not Include SSL V3.0

Global Product Security has determined that the following 55 Oracle products do not include SSL V3.0 in their initial distribution (i.e., “out of the box”) and should therefore not be subject to CVE-2014-3566. No further action is therefore expected for these products:

  • Acme Packet 4500 [Product ID 10747]
  • Acme Packet 6300 [Product ID 10745]
  • Application Express [Product ID 1348]
  • Enterprise Manager Plug-ins [Product ID 2006 ]
  • HP LTO6 Tape Drive [Product ID 10506]
  • Hyperion BI+ [Product ID 4361 ]
  • Hyperion Financial Management [Product ID 4390]
  • Hyperion Planning [Product ID 4402]
  • Instantis Enterprise Track [Product ID 10563]
  • Oracle Applications DBA [Product ID 166]
  • Oracle ATG Web Commerce Search [Product ID 9350 ]
  • Oracle Business Intelligence Applications [Product ID 2064]
  • Oracle Clinical [Product ID 801]
  • Oracle Communications Core Session Manager [Product ID 10754]
  • Oracle Communications EAGLE [Product ID 10768]
  • Oracle Communications EAGLE Element Management System [Product ID 11125]
  • Oracle Communications Eagle LNP Provision System [Product ID 11118]
  • Oracle Communications Local Service Management System [Product ID 11114]
  • Oracle Communications Subscriber-Aware Load Balancer [Product ID 10766]
  • Oracle Discoverer [Product ID 964]
  • Oracle Event Processing [Product ID 5370]
  • Oracle Financial Services Lending and Leasing [Product ID 10484]
  • Oracle Forms [Product ID 45]
  • Oracle Fusion Middleware Repository Creation Utility [Product ID 1032/RCU]
  • Oracle Grid Infrastructure [Product ID 1176]
  • Oracle Identity Federation [Product ID 1741]
  • Oracle Portal [Product ID 96]
  • Oracle REST Data Services [Product ID 9456]
  • Oracle Service Bus [Product ID 5308]
  • Oracle SOA Suite [Product ID 1162]
  • Oracle Sun OpenSSO Server [Product ID 8520]
  • Oracle Thesaurus Management System [Product ID 192]
  • Oracle Utilities Customer Care and Billing [Product ID 2237]
  • Oracle Waveset [Product ID 8518]
  • Oracle Web Service [Product ID 1271]
  • Oracle Webcenter Portal [Product ID 1696]
  • Oracle(R) BPEL Process Manager 10g [Product ID 1669]
  • PeopleSoft Enterprise HRMS Human Resources [Product ID 5071]
  • Scapp [Product ID 9851]
  • SMS [Product ID 9852]
  • Sun StorageTek Storage Management Component [Product ID 10098]
  • Sun System Firmware [Product ID 9846]
  • Tape Library ACSLS CSC Toolkit [Product ID 10089]
  • Tape Library ACSLS HA [Product ID 10090]
  • Tape Library ACSLS LibAttach - Windows Client [Product ID 10091]
  • Tape Library ACSLS LibAttach Integrators Pack [Product ID 10092]
  • Tape Library ACSLS RMLS - AS/400 Client [Product ID 10093]
  • Tape Library ACSLS SNMP Agent [Product ID 10094]
  • Tape Library HP SL500 - HP EML Modular Tape Librar [Product ID 10096]
  • Tape Library SL3000 [Product ID 10100]
  • Tape Library SL500 [Product ID 10101]
  • Tape Library SL8500 [Product ID 10102]
  • Tape Library SLC - StorageTek Library Console [Product ID 10103]
  • Tape OEM Drive for HP LTO5 [Product ID 10104]
  • WebCenter Content [Product ID 2271]

4.0 Products under investigation for inclusion of SSL V3.0

Global Product Security is not investigating any additional products for inclusion of SSL V3.0 to determine if they might be subject to CVE-2014-3566.


5.0 Oracle products that, while including SSL V3.0, are not subject to CVE-2014-3566

Global Product Security has determined that the following 19 products are including SSL V3.0 in their distributions but that none of these are subject to CVE-2014-3566. No further action is therefore expected for these products:

  • COREid Access [Product ID 1773]
  • Enterprise Manager for Fusion Middleware [Product ID 1369]
  • JD Edwards EnterpriseOne Tools [Product ID 4781 ]
  • JD Edwards World [Product ID 4781]
  • MySQL Connector/C [Product ID 8576 ]
  • MySQL Connector/ODBC [Product ID 8576 ]
  • MySQL Enterprise Backup [Product ID 4629 ]
  • MySQL Enterprise Monitor [Product ID 8480 ]
  • MySQL Server [Product ID 8478]
  • MySQL Workbench [Product ID 4627 ]
  • Oracle Access Manager / Webgates [Product ID 5565 ]
  • Oracle Access Manager [Product ID 5565]
  • Oracle Advanced Lights Out Manager [Product ID 9843]
  • Oracle Communications ASAP [Product ID 2260]
  • Oracle Communications IP Service Activator [Product ID 2261]
  • Oracle Key Manager [Product ID 10052]
  • Oracle System Assistant [Product ID 10015]
  • Sun Crypto Accelerator 6000 [Product ID 9894 ]
  • Tape Virtual Virtual Library Extension [Product ID 10116]

6.0 Information regarding Oracle Cloud Products


Oracle is assessing the use of SSL v3.0 across its corporate systems and those managed on behalf of Oracle customers (e.g., Oracle Cloud). Oracle is actively deprecating the use of this protocol. In instances where Oracle identifies a possible impact to cloud customers, Oracle will work with the affected customers to determine the best course of action. Oracle recommends that cloud customers investigate their use of SSL v3.0 and discontinue to the extent possible the use of this protocol.

For more information:

  • Oracle Managed Cloud Services (OMCS) Customers should contact their Service Delivery Manager (SDM).
  • Oracle Cloud for Industry (OCI) and Micros Cloud Customers should contact gbu-risk-compliance-resp_ww@oracle.com.
  • Oracle Public Cloud (OPC) Customers should submit a Service Request within their designated support system to request an update which is specific to the services they have purchased.