AWS-2014-009
2015/01/07 8:30 AM PST - Update - Amazon CloudFront: We have disabled SSLv3 for all customers who use SSL with the default CloudFront domain name (*.cloudfront.net). ---------------------------------------------------------------------------------------- 2014/10/24 7:30 PM PDT - Update - Amazon CloudFront: Today, we launched the feature that allows customers to disable or enable SSLv3 for Dedicated IP Custom SSL Certificates. Existing distributions created before the launch of this feature will continue to allow SSLv3 by default; customers who want to disable SSLv3 on existing distributions that use Dedicated IP custom SSL can do so using the CloudFront API or AWS Management Console. We recommend that customers disable SSLv3 if their use case allows it. You can read more about how to do this in our documentation . As a reminder, on November 3rd, 2014, we will begin disabling SSLv3 for ALL customers who use SSL with the default CloudFront domain name (*.cloudfront.net). ---------------------------------------------------------------------------------------- 2014/10/17 5:00 PM PDT - Update Amazon CloudFront: We'd like to provide three updates regarding our plans for support of SSLv3 …
Timeline
- Oct 21, 2014 PoC Published
- Oct 9, 2019 CVE Published
- Apr 11, 2025 PoC Published
References
- CVE-2014-3566 Advisory advisory
- http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesMinimumSSLProtocolVersion web
- https://alas.aws.amazon.com/ALAS-2014-427.html web
- http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-ssl-security-policy.html web
- http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#cnames-https-dedicated-ip-or-sni web
- https://alas.aws.amazon.com/ web