affects OMERO versions 5.0.5 and earlier
The POODLE attack, also known as CVE-2014-3566 can make use of SSLv3 if enabled.
From the CVE: "The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the POODLE issue."
All OMERO components (server, Java, Python, C++) prior to 5.0.6.
The POODLE attack is a man-in-the-middle and therefore "can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other". As with 2014-SV3-CSRF, only if a user can be convinced or tricked into opening an untrusted connection can the POODLE attack be used.
Due to the complexity of such an exploit, we do not consider this a critical security vulnerability.
Use 2014-SV4-poodle.patch to disable SSLv3.
All OMERO.servers should be upgraded to at least 5.0.6.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18