{"document":{"category":"csaf_vex","csaf_version":"2.1","notes":[{"category":"summary","text":"Palo Alto Networks PSIRT provided VEX document. This document is autogenerated.","title":"SSL 3.0 MITM Attack"}],"publisher":{"category":"vendor","name":"Palo Alto Networks","namespace":"https://security.paloaltonetworks.com"},"title":"Palo Alto Networks PSIRT provided VEX document: CVE-2014-3566","distribution":{"text":"Copyright © 2024 Palo Alto Networks. All rights reserved.","tlp":{"label":"CLEAR","url":"https://www.first.org/tlp/"}},"tracking":{"current_release_date":"2026-04-11T00:27:07.911Z","generator":{"date":"2026-04-11T00:27:07.911Z","engine":{"name":"Vulnogram","version":"0.0.9"}},"id":"CVE-2014-3566","initial_release_date":"2014-10-20T07:00:00.000Z","revision_history":[{"number":"1","date":"2026-04-10T17:27:07.000Z","summary":"Initial release"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"name":"Palo Alto Networks","category":"vendor","branches":[]}]},"vulnerabilities":[{"cve":"CVE-2014-3566","product_status":{"fixed":["PANW-PAN-OS-484","PANW-PAN-OS-475"],"known_affected":["PANW-PAN-OS-479","PANW-PAN-OS-474"]},"notes":[{"category":"description","text":"A vulnerability affecting most implementations of SSL 3.0 has been discovered that allows an attacker to decrypt some encrypted contents under certain conditions (CVE-2014-3566).  The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the \"POODLE\" issue.  More information can be found at: https://www.openssl.org/~bodo/ssl-poodle.pdf.  SSL 3.0 is a supported protocol in PAN-OS services including device management and SSL VPN.\nThe conditions of successful exploitation are somewhat similar to the BEAST attack, which requires several conditions to be met for successful exploitation (i.e. the attacker requires a man-in-the-middle position in the network and must also be able to direct the victim client to send many repeated requests to the vulnerable server on behalf of the attacker via scripting, web sockets, or similar mechanism).  Due to the conditions required of a successful attack scenario, the risk of exploitation is not particularly high.  More information can be found in Microsoft Security Advisory 3009008 (https://technet.microsoft.com/library/security/3009008).\nThis issue affects PAN-OS 6.1.1 and earlier; PAN-OS 6.0.7 and earlier; PAN-OS 5.1.x and PAN-OS 5.0.x."}],"references":[{"category":"external","summary":"NVD - CVE-2014-3566","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3566"},{"category":"self","summary":"Palo Alto Networks Security Advisory CVE-2014-3566","url":"https://security.paloaltonetworks.com/CVE-2014-3566"}],"threats":[{"category":"impact","description":"A vulnerability affecting most implementations of SSL 3.0 has been discovered that allows an attacker to decrypt some encrypted contents under certain conditions (CVE-2014-3566).  The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the \"POODLE\" issue.  More information can be found at: https://www.openssl.org/~bodo/ssl-poodle.pdf.  SSL 3.0 is a supported protocol in PAN-OS services including device management and SSL VPN.\nThe conditions of successful exploitation are somewhat similar to the BEAST attack, which requires several conditions to be met for successful exploitation (i.e. the attacker requires a man-in-the-middle position in the network and must also be able to direct the victim client to send many repeated requests to the vulnerable server on behalf of the attacker via scripting, web sockets, or similar mechanism).  Due to the conditions required of a successful attack scenario, the risk of exploitation is not particularly high.  More information can be found in Microsoft Security Advisory 3009008 (https://technet.microsoft.com/library/security/3009008).\nThis issue affects PAN-OS 6.1.1 and earlier; PAN-OS 6.0.7 and earlier; PAN-OS 5.1.x and PAN-OS 5.0.x."}],"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":3.4,"baseSeverity":"LOW"},"products":["PANW-PAN-OS-479","PANW-PAN-OS-474"]}]}]}