Zero-day vulnerability in OpenSSL

Information disclosure
CVE-2014-3566

The vulnerability was used in the attack called Poodle against Docker.

Vulnerability details

Advisory: SB2014101601 - Multiple vulnerabilities in OpenSSL

Vulnerable component: OpenSSL

CVE-ID: CVE-2014-3566

CVSSv3 score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Description:

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to usage of insecure SSLv3 protocol in OpenSSL. A remote attacker can force the current connection between user and server to be downgraded to SSLv3 protocol and then use padding-oracle attack on Cypher-block chaining (CBC) mode to decrypt encrypted communication.

Successful exploitation of the vulnerability may allow an attacker to read encrypted communications in clear text.

Note: The vulnerability is known as POODLE.