Three Google security researchers discovered a flaw in the Secure Sockets Layer (SSL) 3.0 cryptography protocol (SSLv3) and detailed how it could be exploited through what they called a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566). This bug made SSL 3.0 possibly be exploited to intercept data that’s supposed to be encrypted between computers and servers.
It is important to note that this is NOT a flaw in SSL certificates, their private keys, or their design but in the old SSLv3 protocol. SSL Certificates are not affected and customers with certificates on servers supporting SSL 3.0 do not need to replace them.
In order to mitigate the bug, web service runners are recommended to:
- Check to see if your webservers are vulnerable using our free SSL Toolbox.
- Disable SSL 3.0 altogether, or disable SSL 3.0 CBC-mode ciphers.
- A cloud-based Web Application Firewall can help protect against this kind of vulnerability. For more information please visit our website.
- Be leery of any spam messages from scammers trying to capitalize on uncertainty and a lack of technical knowledge.
- If applicable, implement F5’s patch. For information on A10 Networks, please click here for their patch.
Read more at: Symantec Website Security Solutions Blog