POODLE (Padding Oracle On Downgraded Legacy Encryption)

Facts

Poodle is security hole in Secure Sockets Layer (SSL) 3.0 discovered by Google security engineers. The vulnerability allows encrypted, ostensibly-secret information to be exposed by an attacker with network access. Poodle, which stands for Padding Oracle On Downgraded Legacy Encryption, is a problem because it's used by both websites and Web browsers. Both must be reconfigured to prevent using SSL 3.0. The good news is that most website and web browsers use a TLS protocol, which is SSL's more modern, less vulnerable younger sibling.

The reason that Poodle is a problem is that attackers can force your browser to downgrade to SSL 3.0. If either browser or server runs into problems connecting with TLS, sites and browsers will often fall back to SSL. The problem is that attackers can force a connection failure which would force a site to use SSL 3.0, which would then expose it to hackers. There are workarounds possible to stop an attacker from forcing this failure or to prevent falling back to using SSL 3.0.

Applications Manager

Thisis, as with the Heartbleed vulnerability, less a question of Automic and ourproducts than of the underlying server/browser infrastructure.

To exploit it an attacker has to be on the same network as the web browserhaving the session to the server (i.e.: it cannot exploited form anywhere inthe internet remotely). It is the underlying webserver or browser which defines the encryption protocol; Notthe Automic product. For information on how to do this within the web browser or Apache webserver, it is recommended to contact those vendors.