CVE-2014-3566

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nss	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	23.04 lunar	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	17.10 artful	Not affected
	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Not affected
	15.04 vivid	Not affected
	14.10 utopic	Not affected
	14.04 LTS trusty	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not affected
openjdk-6	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	15.10 wily	Not affected
	15.04 vivid	Not affected
	14.10 utopic	Fixed 6b34-1.13.6-1ubuntu0.14.10.1
	14.04 LTS trusty	Fixed 6b34-1.13.6-1ubuntu0.14.04.1
	12.04 LTS precise	Fixed 6b34-1.13.6-1ubuntu0.12.04.1
	10.04 LTS lucid	Fixed 6b34-1.13.6-1ubuntu0.10.04.1
openjdk-7	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	15.10 wily	Not affected
	15.04 vivid	Not affected
	14.10 utopic	Fixed 7u75-2.5.4-1~utopic1
	14.04 LTS trusty	Fixed 7u75-2.5.4-1~trusty1
	12.04 LTS precise	Fixed 7u75-2.5.4-1~precise1
	10.04 LTS lucid	Not in release
openssl	24.04 LTS noble	Fixed 1.0.1f-1ubuntu9
	23.10 mantic	Fixed 1.0.1f-1ubuntu9
	23.04 lunar	Fixed 1.0.1f-1ubuntu9
	22.10 kinetic	Fixed 1.0.1f-1ubuntu9
	22.04 LTS jammy	Fixed 1.0.1f-1ubuntu9
	20.04 LTS focal	Fixed 1.0.1f-1ubuntu9
	19.04 disco	Fixed 1.0.1f-1ubuntu9
	18.10 cosmic	Fixed 1.0.1f-1ubuntu9
	18.04 LTS bionic	Fixed 1.0.1f-1ubuntu9
	17.10 artful	Fixed 1.0.1f-1ubuntu9
	17.04 zesty	Fixed 1.0.1f-1ubuntu9
	16.10 yakkety	Fixed 1.0.1f-1ubuntu9
	16.04 LTS xenial	Fixed 1.0.1f-1ubuntu9
	15.10 wily	Fixed 1.0.1f-1ubuntu9
	15.04 vivid	Fixed 1.0.1f-1ubuntu9
	14.10 utopic	Fixed 1.0.1f-1ubuntu9
	14.04 LTS trusty	Fixed 1.0.1f-1ubuntu2.7
	12.04 LTS precise	Fixed 1.0.1-4ubuntu5.20
	10.04 LTS lucid	Fixed 0.9.8k-7ubuntu8.22
openssl098	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	15.10 wily	Not in release
	15.04 vivid	Ignored
	14.10 utopic	Ignored
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Ignored
	10.04 LTS lucid	Not in release
pound	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not affected
	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Not affected
	15.04 vivid	Fixed 2.6-6+deb8u1build0.15.04.1
	14.10 utopic	Ignored
	14.04 LTS trusty	Vulnerable
	12.04 LTS precise	Ignored
	10.04 LTS lucid	Not in release

Notes

mdeslaur

We recommend disabling SSLv3 on servers, if possible. Community-provided information on disabling SSLv3 can be found here: http://askubuntu.com/a/537196 SANS provided information on disabling SSLv3 can be found here: https://isc.sans.edu/forums/diary/POODLE+Turning+off+SSLv3+for+various+servers+and+client+/18837

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
nss	Upstream: https://hg.mozilla.org/projects/nss/rev/45cb71fd7bca
openssl	Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c6a876473cbff0fd323c8abcaace98ee2d21863d Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=dc5dfe431cffbc1fa8eeead0853bd03395e52e71 Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=3f4d81e88b6f3cce83eae0448cc6542e3e251854 Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=d2866063015d839569c2323cae85d1d27ccdb484 Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6bfe55380abbf7528e04e59f18921bd6c896af1c Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7d07c75c5b97a31edfdec8076bd720166fdde789 Upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=80fb4820cb1c849348b5246330b35ed4f51af562

Package

Patch details

nss

Upstream: https://hg.mozilla.org/projects/nss/rev/45cb71fd7bca

openssl

Severity score breakdown

Parameter	Value
Base score	3.4 · Low
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	Required
Scope	Changed
Confidentiality	Low
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Cvss 3 Severity Score

Status

Notes

mdeslaur

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references