POODLE (CVE-2014-3566) is an security vulnerability in SSLv3 discovered by Google in September. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. All the websites supporting SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. Using POODLE a hacker run Man-in-the-middle attacks attacks in your network stream and can steal secure HTTP cookies. This vulnerability has been found in SSLv3. For more information visit openssl security advisory.
Fix POODLE (CVE-2014-3566):
The easy and best solution is from preventing POODLE is disabling SSLv3 support from server side.
Apache Users:
Apache users edit your Apache configuration file /etc/httpd/conf.d/ssl.conf and update following values like below after making changes restart Apache service.
SSLProtocol all -SSLv3 -SSLv2
NGINX Users:
All the NGINX users edit your nginx configuration file /etc/nginx/nginx.conf and update following values as below. After updating setting restart nginx service.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Leave a Reply