Strategy, Vulnerability management

POODLE back to bite TLS connections

December 10, 2014

It's back. Or in reality, POODLE never truly left, it's just shifted its focus from Secure Sockets Layer Version 3 and the flaw could now take a bite out of Transport Layer Security.

Google security engineer Adam Langley said in a Monday blog post that the company had “done pretty well at killing off SSLv3” in its initial response to the POODLE flaw. But researchers recently discovered that  “if an SSLv3 decoding function was used with TLS, then the POODLE attack would work, even against TLS connections,” according to Langley.

After discovering the flaw, known as CVE-2014-8730, at sites using F5 and A10 devices to terminate connections, Langley contacted both companies, which have since issued patches.

An F5 advisory urged those affected to “configure a custom cipher string for the SSL profile and associate the profile with the virtual servers.”

prestitial ad