POODLE and TLS - CVE-2014-8730

A vulnerability (CVE-2014-8730) was discovered where the “POODLE” attack has been repurposed to attack TLS. The “POODLE” attack originally identified in CVE-2014-3566 focused on the fact that SSLv3 doesn’t require it’s padding to be in any particular format (except for the last byte, the length), opening itself to attacks by active network attackers. However, even though TLS is very strict about how its padding is formatted, it turns out that some TLS implementations omit to check the padding structure after decryption. Such implementations are vulnerable to the POODLE attack even with TLS.

KEMP LoadMaster running version 7.1-20b or higher is not vulnerable to CVE-2014-8730.

However it is still important to mitigate the original “POODLE” attack with the steps outlined in.

The "POODLE" Vulnerability - CVE-2014-3566

Investigation on how to mitigate this vulnerability is ongoing for KEMP LoadMaster running versions 7.0-10.

For further information on this vulnerability please see

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730

https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

https://www.imperialviolet.org/2014/12/08/poodleagain.html

 

For additional information and alternative download versions please contact KEMP Support.

KEMP is committed to resolving security vulnerabilities carefully and quickly.  If you think you have found a security flaw in a KEMP product, please send all supporting information to securityalert@kemptechnologies.com .

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
Andrew Loyer

Any updates on the fix for version versions 7.0-10?