What IS POODLE: SSLv3 vulnerability?

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

Who is affected by this Vulnerability?

POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It is a protocol flaw, not an implementation issue; every implementation of SSL 3.0 suffers from it. This vulnerability affects every piece of software that can be coerced into communicating with SSLv3. This means that any software that implements a fallback mechanism that includes SSLv3 support is vulnerable and can be exploited. Some common pieces of software that may be affected are web browsers, web servers, VPN servers, mail servers, etc.

It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).
Generic Workarounds:

  • Disable SSL 3.0 support in the client
  • Disable SSL 3.0 support in the server.
  • Disable support for CBC-based cipher suites when using SSL 3.0 (in either client or server).
  • Implement new SSL/TLS extension to detect when some active attacker is breaking connections to force your client and server to use SSL 3.0, even though both know TLS 1.0 or better. Both client and server must implement it.

Any of these four solutions avoids the vulnerability.

Prevention steps to be followed for Apache Web Server

To disable SSLv3 on the Apache web server, you will have to adjust the SSLProtocol directive provided by the mod_ssl module. This directive can be set either at the server level or in a virtual host configuration. Depending on your distribution's Apache configuration, the SSL configuration may be located in a separate file that is sourced.

On Ubuntu, the server-wide specification for servers can be adjusted by editing the file /etc/apache2/mods-available/ssl.conf

If mod_ssl is enabled, a symbolic link will connect this file to the mods-enabledsubdirectory:
sudonano /etc/apache2/mods-available/ssl.conf
Save and close the file.

Restart the service to enable your changes.

sudo service apache2 restart
On CentOS, you can can adjust this in the SSL configuration file located here (if SSL is enabled): sudonano /etc/httpd/conf.d/ssl.conf

Inside you can find the SSLProtocol directive. If this is not available, create it. Modify this to explicitly remove support for SSLv3:
SSLProtocol all -SSLv3 -SSLv2

Save and close the file. Restart the service to enable your changes.
sudo service httpd restart

Prevention steps to be followed for Windows Server

Prevention steps to be followed onHAProxy Load Balancer

Prevention steps to be followed on Nginx Web Server