POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.
POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3. It is a protocol flaw, not an implementation issue; every implementation of SSL 3.0 suffers from it. This vulnerability affects every piece of software that can be coerced into communicating with SSLv3. This means that any software that implements a fallback mechanism that includes SSLv3 support is vulnerable and can be exploited. Some common pieces of software that may be affected are web browsers, web servers, VPN servers, mail servers, etc.
It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).
Generic Workarounds:
Prevention steps to be followed for Apache Web Server
To disable SSLv3 on the Apache web server, you will have to adjust the SSLProtocol directive provided by the mod_ssl module. This directive can be set either at the server level or in a virtual host configuration. Depending on your distribution's Apache configuration, the SSL configuration may be located in a separate file that is sourced.On CentOS
, you can can adjust this in the SSL configuration file located here (if SSL is enabled):Prevention steps to be followed for Windows Server
In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry set at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols.To disable SSLv3
,create a subkey at the above location (if it's not already present) named SSL 3.0 and, under that, a subkey named Server (if it's not already present). At this locationTo disable SSLv2
, create a subkey at the above location (if it's not already present) named SSL 2.0 and, under that, a subkey named Server (if it's not already present). At this location,Prevention steps to be followed onHAProxy Load Balancer
To disable SSLv3 in anHAProxy load balancer, you will need to open the haproxy.cfg file.Prevention steps to be followed on Nginx Web Server
To disable SSLv3 in the Nginx web server, you can use the ssl_protocols directive. This will be located in the server or http blocks in your configuration.For instance, on Ubuntu, you can either add this globally to /etc/nginx/nginx.conf inside of the httpblock, or to each server block in the /etc/nginx/sites-enabled directory.