Description

Websites that support SSLv3 and CBC-mode ciphers are potentially vulnerable to an active MITM (Man-in-the-middle) attack. This attack, called POODLE, is similar to the BEAST attack and also allows a network attacker to extract the plaintext of targeted parts of an SSL connection, usually cookie data. Unlike the BEAST attack, it doesn't require such extensive control of the format of the plaintext and thus is more practical.

Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. SSLv3 is disabled by default in Firefox 34, which was released on Nov 25 2014.

Remediation

It's recommended to disable SSLv3 and replace it with TLS 1.2 or higher

To disable SSLv2 and SSLv3:
For Apache:
SSLProtocol all -SSLv2 -SSLv3
For Nginx:
ssl_protocols TLSv1.2;

References

This POODLE bites: exploiting the SSL 3.0 fallback

The POODLE Attack and the End of SSL 3.0

This POODLE bites: exploiting the SSL 3.0 fallback (technical paper)

How POODLE Happened

How to disable SSLv3

Related Vulnerabilities

Laravel Health Monitor open

XML entity injection

GraphQL Alias Overloading Allowed: Potential Denial of Service Vulnerability

PHP magic_quotes_gpc is disabled

Reverse Proxy Detected

Severity

Medium

Classification

CVE-2014-3566 CWE-326 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Weak Crypto