I know what your all thinking , another issue with SSL. This just highlights how important this software is , it is essential if anything is to be kept private such as many forms of e-commerce.
The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.
Poodle stands for: Padding Oracle On Downgraded Legacy Encryption – as the name implies this affects older versions of SSL. The main problem is that the issue is with the design of the protocol itself , not the implementation. So ALL versions are at risk. A point release will not fix this. The only solution is to disable it entirely.
In apache you need to change you SSL config – edit your SSLProtocol – usually a file called SSL.conf in the apache config directories.
so that it now has -SSLv3 , this disables it entirely.
SSLProtocol all -SSLv3 -SSLv2
There are other changes for other web servers such as nginx – please see appropriate documentation on the issue.
The POODLE vulnerability exists because the SSLv3 protocol does not properly check the padding bytes. since these cannot be checked by the receiving party, an attacker can replace these and pass them on to the intended destination. When done in a specific way, the modified payload will be accepted by the recipient.
To find out more information about the vulnerability please consult the CVE information found at CVE-2014-3566.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
