Researchers recently published a paper on a padding oracle attack against CBC-mode ciphers in SSLv3. This is reported as CVE-2014-3566 also known as the "POODLE" (Padding Oracle On Downgraded Legacy Encryption) vulnerability.

This article provides guidance to mitigate this issue.

This issue is similar to the BEAST (Browser Exploit Against SSL/TLS) issue discussed in Mitigation of CVE-2011-3389 (BEAST) for web server administrators (2008784).

This vulnerability has many facets and details are available in the external links provided in the Additional Information section.

Notes:

• It is technically an attack against the browser, not the server. The most likely goal of an attack is to retrieve an encrypted session cookie in order to hijack a user's session.
  
  
• It involves man-in-the-middle (MITM) network access in conjunction with a certain amount of control over the user's browser to have it make repeated requests with content under the attacker's control and also heavy real-time computing power.

To mitigate this issue, disable SSL v3 in your browser. Please review or contact the browser vendor for documentation on how to disable SSL v3.

Notes:

• Current VMware products support TLS and, therefore, continue to function when SSL v3 is disabled in the browser.
• Browser (and component) makers are recommending the use of SSL v3 be discontinued.
• Communication between VMware products is not affected because this communication is between end-points and no browser is involved.
• VMware is planning to phase out the support of SSL v3 in its products during future maintenance releases.

This vulnerability was discovered and reported publicly by security researchers. For more information, visit the vulnerability report and related links there.