cancel
Showing results for 
Search instead for 
Did you mean: 

SteelApp not vulnerable to POODLE 2.0 (CVE 2014-8730)

Since this previous article /t5/SteelApp-Docs/Disabling-SSL-v3-0-for-SteelApp/ta-p/73982, security researchers have determined that TLS 1.x, including TLS 1.2, may also be vulnerable to POODLE-type attacks if an incorrect padding check is used. However, SteelApp is not vulnerable to this latest issue (CVE 2014-8730), because its TLS stack performs the complete padding checks required by TLS.

 

The original POODLE vulnerability only applies to SSLv3 (ProtocolVersion.major = 3 and ProtocolVersion.minor = 0 in the ClientHello and ServerHello) and is a protocol-level weakness.  It therefore affects all implementations of SSLv3, including that of SteelApp traffic manager.

 

POODLE 2.0 is not a protocol-level weakness, but a bug in certain TLSv1.0 - TLSv1.2 (ProtocolVersion.major = 3 and ProtocolVersion.minor = 1,2,3) implementations.  SteelApp traffic manager's TLS implementation does all the proper checks in all TLS versions (1.0 - 1.2) and is therefore not affected by POODLE 2.0.

 

More details on POODLE and TLS 1.2 here: https://www.imperialviolet.org/2014/12/08/poodleagain.html

Version history
Revision #:
1 of 1
Last update:
‎06-01-2015 09:39:AM
Updated by: