SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration
SSL Certificate Analysis Open Port Detection Web Application Scanning DNS Security Audit HTTP Header Analysis Misconfiguration Detection Software Fingerprinting Subdomain Enumeration

All Entries

Category Cryptographic Protocol Weakness / Padding Oracle
Typical Severity High
CVE CVE-2014-3566
OWASP A02:2021 – Cryptographic Failures
CWE CWE-326 (Inadequate Encryption Strength), CWE-757 (Selection of Less-Secure Algorithm)
Also known as POODLE, Padding Oracle On Downgraded Legacy Encryption
Affected systems Any server or client still supporting SSLv3; browsers, HTTPS servers, VPNs, mail servers using SSLv3 fallback
Disclosed October 14, 2014 (Google Security Team)

Overview

POODLE (Padding Oracle On Downgraded Legacy Encryption) is a man-in-the-middle attack disclosed in October 2014 by Bodo Möller, Thai Duong, and Krzysztof Kotowicz of Google. It targets a fundamental design flaw in SSLv3's use of Cipher Block Chaining (CBC) mode encryption: SSLv3 does not define the content of padding bytes, which enables a padding oracle attack. Unlike implementation bugs, this weakness is inherent to the SSLv3 protocol specification itself, meaning no patch can fix it—the only safe mitigation is disabling SSLv3 entirely.

A related variant, POODLE-TLS (CVE-2014-8730), was subsequently discovered affecting certain TLS implementations that did not properly validate CBC padding despite being covered by the TLS specification. Server and client software with this flaw required patching independently of SSLv3 deprecation.

How it works

The attack requires three conditions: the attacker must be in a man-in-the-middle position (e.g., on the same network segment), the connection must be downgradeable to SSLv3, and the attacker must be able to cause the victim's browser to make repeated requests to the target server (achievable via JavaScript injection on any origin, since the browser will attach cookies automatically).

  1. Protocol downgrade: Modern clients attempt TLS 1.2 or 1.3 first. If the handshake fails (genuine or attacker-induced), many clients fall back through TLS 1.1, TLS 1.0, and finally SSLv3. The attacker exploits this by injecting TCP RST packets to abort higher-version handshakes, forcing SSLv3.
  2. CBC padding oracle in SSLv3: In CBC mode, each plaintext block is XORed with the preceding ciphertext block before encryption. A MAC-then-encrypt scheme is used. In TLS, padding content is specified (all bytes must equal the padding length value), and a padding error causes a distinguishable error response—creating an oracle. SSLv3 specifies only the last padding byte; all preceding padding bytes are ignored, making every CBC block a valid oracle target.
  3. Byte-by-byte decryption: By manipulating specific bytes in the ciphertext and observing whether the server returns a MAC error versus a padding error (or a valid response), the attacker gains 1 bit of information per request. Over approximately 256 requests per byte, an attacker can recover each byte of plaintext—typically targeting session cookies sent in HTTP headers.
  4. Practical exploitation: Recovering a 16-byte session cookie requires on average 256 × 16 = 4,096 requests. At modern network speeds this can be accomplished in seconds to minutes, enabling session hijacking without breaking the encryption key.

The attack is entirely passive from the server's perspective—it exploits the protocol's error handling, not a memory corruption bug or input validation failure.

Business impact

A successful POODLE attack against an authenticated session allows the attacker to steal session tokens and impersonate the victim user without knowing their credentials. Depending on the application, this can result in:

  • Account takeover and unauthorized access to sensitive application functionality or data.
  • Regulatory and compliance exposure — continued support of SSLv3 directly violates PCI DSS 3.1+ requirements (which mandated SSLv3 disablement by June 2016) and is inconsistent with NIST SP 800-52 Rev. 2 guidance.
  • Data confidentiality breach — any data transmitted over the downgraded SSLv3 session is potentially readable by the attacker, including authentication tokens, personal data, and API keys.
  • Reputational damage — exposure of a long-deprecated vulnerability signals poor security hygiene to auditors, customers, and partners.

How to fix it

  1. Disable SSLv3 on all servers and clients. This is the definitive fix. In OpenSSL-based servers (Apache, Nginx), add SSLProtocol all -SSLv2 -SSLv3 (Apache) or ssl_protocols TLSv1.2 TLSv1.3; (Nginx). In IIS, disable SSLv3 via the Windows registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server with Enabled = 0.
  2. Enforce a minimum of TLS 1.2 across all endpoints. TLS 1.3 is preferred. Deprecate TLS 1.0 and TLS 1.1 as well, both of which have documented weaknesses (BEAST, RC4 biases).
  3. Implement TLS_FALLBACK_SCSV (RFC 7507) on servers and clients. This Signaling Cipher Suite Value prevents protocol downgrade attacks by allowing the server to detect and reject artificially downgraded handshakes.
  4. Apply POODLE-TLS patches if your TLS stack was identified as vulnerable to CVE-2014-8730. Verify with your TLS library vendor's advisories (OpenSSL, NSS, SChannel, etc.).
  5. Audit all endpoints including load balancers, CDN origins, internal APIs, mail servers (SMTP STARTTLS, IMAPS), and VPN gateways—not just public-facing HTTPS servers.
  6. Validate cipher suite configuration using Mozilla's SSL Configuration Generator and test with tools such as SSL Labs Server Test to confirm SSLv3 is no longer offered.

References

Frequently asked questions

The original POODLE vulnerability (CVE-2014-3566) is a design flaw in the SSLv3 protocol specification, not in any particular implementation. SSLv3 does not mandate the content of CBC padding bytes, making a padding oracle attack structurally possible. Because the flaw is in the specification, no software patch can fix it—SSLv3 must be disabled entirely. A separate variant, POODLE-TLS (CVE-2014-8730), affected specific TLS implementations that incorrectly validated padding and could be addressed by patching those implementations.

An attacker needs three capabilities: (1) a man-in-the-middle network position between the client and server, (2) the ability to force the client to send many requests to the target server (typically via a malicious script executing in any browser tab), and (3) the server must still accept SSLv3 connections. The attacker manipulates ciphertext blocks and observes server error responses to recover plaintext byte by byte, typically targeting session cookies.

In virtually all modern contexts, no. SSLv3 was released in 1996 and all modern browsers and clients removed support for it following the 2014 disclosure. Internet Explorer 6 on Windows XP was the last commonly cited client requiring SSLv3, and both have been end-of-life for many years. Disabling SSLv3 and requiring TLS 1.2 or higher will not affect any supported browser or operating system.

TLS_FALLBACK_SCSV (defined in RFC 7507) is a special cipher suite value that a client includes in a downgraded handshake to signal to the server that it actually supports higher protocol versions. A server that supports higher versions but receives this signal will abort the handshake with an 'inappropriate_fallback' alert, preventing the downgrade. It mitigates the downgrade aspect of POODLE but does not make SSLv3 safe—disabling SSLv3 remains the required remediation.

Use the Qualys SSL Labs Server Test (https://www.ssllabs.com/ssltest/) which explicitly checks for SSLv3 support and POODLE vulnerability. The test will flag any server that continues to offer SSLv3 or that lacks TLS_FALLBACK_SCSV support. You can also use OpenSSL's command-line tool: 'openssl s_client -ssl3 -connect hostname:443' — a connection failure confirms SSLv3 is disabled. Sensagraph automatically detects SSLv3 availability as part of its continuous TLS configuration scanning.