Overview
POODLE (Padding Oracle On Downgraded Legacy Encryption) is a man-in-the-middle attack disclosed in October 2014 by Bodo Möller, Thai Duong, and Krzysztof Kotowicz of Google. It targets a fundamental design flaw in SSLv3's use of Cipher Block Chaining (CBC) mode encryption: SSLv3 does not define the content of padding bytes, which enables a padding oracle attack. Unlike implementation bugs, this weakness is inherent to the SSLv3 protocol specification itself, meaning no patch can fix it—the only safe mitigation is disabling SSLv3 entirely.
A related variant, POODLE-TLS (CVE-2014-8730), was subsequently discovered affecting certain TLS implementations that did not properly validate CBC padding despite being covered by the TLS specification. Server and client software with this flaw required patching independently of SSLv3 deprecation.
How it works
The attack requires three conditions: the attacker must be in a man-in-the-middle position (e.g., on the same network segment), the connection must be downgradeable to SSLv3, and the attacker must be able to cause the victim's browser to make repeated requests to the target server (achievable via JavaScript injection on any origin, since the browser will attach cookies automatically).
- Protocol downgrade: Modern clients attempt TLS 1.2 or 1.3 first. If the handshake fails (genuine or attacker-induced), many clients fall back through TLS 1.1, TLS 1.0, and finally SSLv3. The attacker exploits this by injecting TCP RST packets to abort higher-version handshakes, forcing SSLv3.
- CBC padding oracle in SSLv3: In CBC mode, each plaintext block is XORed with the preceding ciphertext block before encryption. A MAC-then-encrypt scheme is used. In TLS, padding content is specified (all bytes must equal the padding length value), and a padding error causes a distinguishable error response—creating an oracle. SSLv3 specifies only the last padding byte; all preceding padding bytes are ignored, making every CBC block a valid oracle target.
- Byte-by-byte decryption: By manipulating specific bytes in the ciphertext and observing whether the server returns a MAC error versus a padding error (or a valid response), the attacker gains 1 bit of information per request. Over approximately 256 requests per byte, an attacker can recover each byte of plaintext—typically targeting session cookies sent in HTTP headers.
- Practical exploitation: Recovering a 16-byte session cookie requires on average 256 × 16 = 4,096 requests. At modern network speeds this can be accomplished in seconds to minutes, enabling session hijacking without breaking the encryption key.
The attack is entirely passive from the server's perspective—it exploits the protocol's error handling, not a memory corruption bug or input validation failure.
Business impact
A successful POODLE attack against an authenticated session allows the attacker to steal session tokens and impersonate the victim user without knowing their credentials. Depending on the application, this can result in:
- Account takeover and unauthorized access to sensitive application functionality or data.
- Regulatory and compliance exposure — continued support of SSLv3 directly violates PCI DSS 3.1+ requirements (which mandated SSLv3 disablement by June 2016) and is inconsistent with NIST SP 800-52 Rev. 2 guidance.
- Data confidentiality breach — any data transmitted over the downgraded SSLv3 session is potentially readable by the attacker, including authentication tokens, personal data, and API keys.
- Reputational damage — exposure of a long-deprecated vulnerability signals poor security hygiene to auditors, customers, and partners.
How to fix it
- Disable SSLv3 on all servers and clients. This is the definitive fix. In OpenSSL-based servers (Apache, Nginx), add
SSLProtocol all -SSLv2 -SSLv3(Apache) orssl_protocols TLSv1.2 TLSv1.3;(Nginx). In IIS, disable SSLv3 via the Windows registry keyHKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\ServerwithEnabled = 0. - Enforce a minimum of TLS 1.2 across all endpoints. TLS 1.3 is preferred. Deprecate TLS 1.0 and TLS 1.1 as well, both of which have documented weaknesses (BEAST, RC4 biases).
- Implement TLS_FALLBACK_SCSV (RFC 7507) on servers and clients. This Signaling Cipher Suite Value prevents protocol downgrade attacks by allowing the server to detect and reject artificially downgraded handshakes.
- Apply POODLE-TLS patches if your TLS stack was identified as vulnerable to CVE-2014-8730. Verify with your TLS library vendor's advisories (OpenSSL, NSS, SChannel, etc.).
- Audit all endpoints including load balancers, CDN origins, internal APIs, mail servers (SMTP STARTTLS, IMAPS), and VPN gateways—not just public-facing HTTPS servers.
- Validate cipher suite configuration using Mozilla's SSL Configuration Generator and test with tools such as SSL Labs Server Test to confirm SSLv3 is no longer offered.
References
- Möller, Duong, Kotowicz – This POODLE Bites: Exploiting the SSL 3.0 Fallback (Original Paper)
- NVD – CVE-2014-3566
- RFC 7507 – TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks
- RFC 7568 – Deprecating Secure Sockets Layer Version 3.0
- OWASP – Transport Layer Security Cheat Sheet
- MITRE CWE-326 – Inadequate Encryption Strength
- MITRE CWE-757 – Selection of Less-Secure Algorithm During Negotiation
- Mozilla Security – Server Side TLS Guidelines
- NIST SP 800-52 Rev. 2 – Guidelines for the Selection, Configuration, and Use of TLS Implementations