The SSL (Secure Sockets Layer) protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to a single operating system of servers or clients.
The CVE number assigned to this issue is CVE-2014-3566.
Source: National Institute of Standards and Technology; http://nvd.nist.gov/home.cfm
Poodle vulnerabilities are being rated “4.3 out of 10” (basis).
An attacker must make several hundred HTTPS requests before the attack could be successful. If he successfully, he could decrypt portions of the encrypted traffic.
Fujitsu recommend customers to migrate clients and servers to other security protocols, such as Transport Layer Security (TLS) 1.0, TLS1.1 or TLS1.2.
Fujitsu is announcing that SSL 3.0 will be disabled in the default configuration of affected SW products over the coming months. Please see also the information of other SW provider.
All products which using a secure channel by encrypting communications based on SSL 3.0.
Fujitsu is analyzing its products and will update this list below accordingly.
For Products, doesn’t hold in this list, please contact your service partner.
Share this page