Personal tools
  • We're Hiring!

You are here: Home Products OMERO Security Vulnerabilities 2014-SV4 POODLE

2014-SV4 POODLE

Protocol vulnerability affecting OMERO versions up to and including 5.0.5.

Synopsis

The POODLE attack, also known as CVE-2014-3566 can make use of SSLv3 if enabled.

Background

From the CVE: "The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the POODLE issue."

Affected packages

All OMERO components (server, Java, Python, C++) prior to 5.0.6.

Impact

The POODLE attack is a man-in-the-middle and therefore "can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other". As with 2014-SV3-CSRF, only if a user can be convinced or tricked into opening an untrusted connection can the POODLE attack be used.

Due to the complexity of such an exploit, we do not consider this a critical security vulnerability.

Workaround

Use the provided patch to disable SSLv3:

Resolution

All OMERO.server users should upgrade to at least 5.0.6:

Document Actions