AnsweredAssumed Answered

Zombie POODLE and GOLDENDOODLE Vulnerabilities - Oracle HTTP Server 12c

Question asked by Soma Yedubati on Jun 14, 2019
Latest reply on Jun 24, 2019 by the iamdude

Hello Qualys Community,

 

We ran SSL Server test on SSL Labs site and the overall rating shows as 'F' now with the below messages for Ciphers and Protocol section.If we removed the CBC weak one's from CipherSuite the status changed to A+ rating but the application cannot load on IE 11.

 

We opened a support case with Vendor but they said no Vulnerabilities on OHS 12c, but requested more details from SSL Labs. Can you please provide the requested details below by vendor?

 

 

You have not provided information that shows a vulnerability. 
I have provided you the requirements from you in order to move this forward. 
It is up to you to get the required information from the scanning software company on 
how our software is vulnerable and how it can be exploited. We need details on this 
from you. There is nothing to escalate until you provide us this required information. 

 

Cipher Suites

# TLS 1.2 (server has no preference)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256

Protocol Details
DROWNNo, server keys and hostname not seen elsewhere with SSLv2
(1) For a better understanding of this test, please read this longer explanation
(2) Key usage data kindly provided by the Censys network search engine; original DROWN website here
(3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and not complete
Secure RenegotiationSupported
Secure Client-Initiated RenegotiationYes
Insecure Client-Initiated RenegotiationNo
BEAST attackMitigated servr-side (more info)  
POODLE (SSLv3)No, SSL 3 not supported (more info)
POODLE (TLS)No (more info)
Zombie POODLENo (more info)   TLS 1.2 : 0xc027
GOLDENDOODLENo (more info)   TLS 1.2 : 0xc027
OpenSSL 0-LengthYes   (more info)   TLS 1.2 : 0xc027

 

 

https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities

Zombie POODLE and GOLDENDOODLE Vulnerabilities

Posted by Yash Sannegowda in Qualys Technology, SSL Labs on April 22, 2019 1:40 AM

Recently new vulnerabilities like Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL and Sleeping POODLE were published for websites that use CBC (Cipher Block Chaining) block cipher modes. These vulnerabilities are applicable only if the server uses TLS 1.2 or TLS 1.1 or TLS 1.0 with CBC cipher modes.

Update May 30, 2019: The grade change described below is now live on https://www.ssllabs.com/

 

SSL Labs identifies cipher suites using CBC with orange color and with text WEAK. This change won’t have any effect on the grades, as it only means that SSL Labs discourages the use of CBC-based cipher suites further.

SSL Labs will start giving “F” grade to the server affected by these vulnerabilities from end of May 2019. For now, SSL Labs will give only a warning for affected servers:

  • Zombie POODLE (Invalid padding with valid MAC)
  • GOLDENDOODLE (Valid padding with an invalid MAC)
  • 0-Length OpenSSL (Invalid Mac/Valid Pad, 0-length record)
  • Sleeping POODLE (invalid padding with valid MAC)

Outcomes