Network Communication / SSLv3 Padding Oracle on Downgraded Legacy Encryption Vulnerability (Poodle)

Description

SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) is a vulnerability identified by the Common Weakness Enumeration (CWE) directory (CWE-310) and defined in the OWASP Testing Guide as “an attack that exploits the SSL 3.0 protocol’s fallback to a lower security version of the protocol, allowing attackers to decrypt and decipher data transmitted through the SSL connection.” The vulnerability occurs in the network communications infrastructure and allows for man-in-the-middle (MitM) attacks.

Risk

The POODLE vulnerability exposes organizations to a high risk of compromised data, as it allows attackers to decrypt traffic sent over the insecure SSL 3.0 protocol. If an organization has not disabled this protocol, attackers can more easily perform MitM attacks and intercept sensitive data.

Solution

Organizations should disable the SSL 3.0 protocol and enable TLS 1.2 instead. This will protect against the POODLE vulnerability, as TLS 1.2 is a secure protocol that is not affected by this vulnerability.