POODLE (TLS)

Padding Oracle On Downgraded Legacy Encryption

"This server supports older SSL/TLS protocols. It is vulnerable to a Poodle (TLS) attack. Disable older protocols."

Problem

New versions of the POODLE (SSL) vulnerability were discovered like Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL and Sleeping POODLE. These new POODLE vulnerabilities were found on sites using the TLS 1.0, TLS 1.1, and TLS 1.2 protocols with the Cipher Block Chaining (CBC) block cipher modes enabled.

Solution

Short term: Disable support for CBC encryption ciphers.

Long term: Enable the TLS 1.3 protocol.

Workaround

Configure TLS to deprioritize CBC ciphers. Attacker can’t force the use of CBC cipher. Attacker can only initiate the attack with a client or server that normally negotiates a CBC cipher. Only use this workaround if you’re unable to disable support for CBC encryption ciphers.