POODLE (Padding Oracle On Downgraded Legacy Encryption)

Document ID : KB000089479
Last Modified Date : 14/04/2018
Show Technical Document Details
Issue:
POODLE (Padding Oracle On Downgraded Legacy Encryption)
Resolution:

POODLE (Padding Oracle On Downgraded Legacy Encryption)




Facts


Poodle is security hole in Secure Sockets Layer (SSL) 3.0 discovered by Google security engineers. The vulnerability allows encrypted, ostensibly-secret information to be exposed by an attacker with network access. Poodle, which stands for Padding Oracle On Downgraded Legacy Encryption, is a problem because it's used by both websites and Web browsers. Both must be reconfigured to prevent using SSL 3.0. The good news is that most website and web browsers use a TLS protocol, which is SSL's more modern, less vulnerable younger sibling.


The reason that Poodle is a problem is that attackers can force your browser to downgrade to SSL 3.0. If either browser or server runs into problems connecting with TLS, sites and browsers will often fall back to SSL. The problem is that attackers can force a connection failure which would force a site to use SSL 3.0, which would then expose it to hackers. There are workarounds possible to stop an attacker from forcing this failure or to prevent falling back to using SSL 3.0.

 



Applications Manager


Thisis, as with the Heartbleed vulnerability, less a question of Automic and ourproducts than of the underlying server/browser infrastructure.


To exploit it an attacker has to be on the same network as the web browserhaving the session to the server (i.e.: it cannot exploited form anywhere inthe internet remotely). It is the underlying webserver or browser which defines the encryption protocol; Notthe Automic product. For information on how to do this within the web browser or Apache webserver, it is recommended to contact those vendors.


With the right security measures applied by systemadministrators outside of the Automic products within the core webserver andbrowser (i.e. client) infrastructure, as well as the fact that attackers wouldhave to be within the same network to exploit the vulnerability, customers canbe sufficiently sure that they are out of risk. Especially out of risk arisingfrom within Automic products.