POODLE Security Vulnerability CVE-2014-3566

On October 14, 2014, Google announced the Poodle attack that exploits the fallback to SSL 3.0. Information of the POODLE attack is tracked in CVE-2014-3566.

POODLE stands for “Padding Oracle On Downgraded Legacy Encryption.” When a browser and a server negotiate an SSL/TLS handshake, they agree on the highest level of SSL/TLS protocol that they both support. However, due to interoperability issues, the SSL/TLS level can be downgraded to unsafe levels.

If the SSL/TLS protocol can be downgraded to SSL 3.0, then POODLE will allow items such as “secure” HTTP cookies or HTTP Authorization header contents to be stolen from downgraded communications. More information on how POODLE works can be found in the Security Advisory prepared by Google.

POODLE is not a flaw with the SSL certificate, nor is it an issue with the certification authority (CA) or certificate management system. POODLE is an attack of the SSL/TLS protocol, which can be mitigated by removing support for SSL 3.0.

Entrust customers are urged to implement the changes described in the Corrective Action section below.

Impact of Vulnerability

POODLE provides no vulnerability to Entrust SSL certificates or related products. There is also no vulnerability to the certification authority or the certificate management systems. SSL 3.0 has been disabled on all Entrust servers that are used with the SSL service.

Customer servers may be vulnerable to POODLE if SSL 3.0 is enabled.

Mitigating Factors

If SSL 3.0 must be supported, then the attack can be mitigated by preventing SSL/TLS fallback. This can be achieved by implementing TLS_FALLBACK_SCSV. The Web server must support fallback protection, which is included in OpenSSL.

Corrective Action

POODLE can be mitigated by disabling SSL 3.0. POODLE attack technical notification will provide support in disabling SSL 3.0.

Support

Entrust customer support is available by phone at our regular support numbers.

Learn More