Hi All,
Before i ask my question:
It seems some TLS implementations may be vulnerable to POODLE like attack if they use SSL 3.0 type padding and the padding bytes are not checked by the implementation.
https://www.imperialviolet.org/2014/12/08/poodleagain.html
https://devcentral.f5.com/articles/cve-2014-8730-padding-issue-8151
CVE-2014-8730 was assigned to this issue (by MITRE i suppose) and its not clear if this CVE has been assigned to their code or to the protocol weakness.
I have not checked if any implementations are vulnerable, but could MITRE please confirm if its ok to reuse this CVE if any crypto-libs are found vulnerable, or if they plan to assign another CVE id?
–
Huzaifa Sidhpurwala / Red Hat Product Security Team