AnsweredAssumed Answered

Poodle and You

Question asked by RSA Admin Employee on Oct 15, 2014
Latest reply on Oct 16, 2014 by RSA Admin

As many of you are aware, today we all had to become familiar with yet another SSL vulnerability:


SSLv3 vulnerability (CVE-2014-3566) AKA "Poodle" or the 'Padding Oracle On Downgraded Legacy Encryption' attack.


Right now the general advice is to first check to see if you are running  the vulnerable SSL version, and if so to disable it. The team over at Red Hat have provided a simple script that will immediately let you know if you have SSLv3 enabled on your Linux-based servers. You can find that script here:


The bottom line is that the  vulnerability is a flaw in a protocol dating from 1996. It is very unlikely a fix will be provided.  A more secure alternative is to employ TLSv1.1 or TLSv1.2 and disable SSLv3 support in any internal clients and servers in your environment. TLSv1.0 is not a safe replacement.


The Security Analytics Content Team is in the process of modifying our LUA TLS parser to identify and flag SSLv3 communications. The parser is still being put through our QA testing scenarios and should be available in Live within the next 12-24 hours. In regards to Poodle, this parser's primary benefit will be to flag SSLv3 sessions to assist your organization with finding vulnerable devices on your network. It does not mitigate the need to disable the protocol.


While not as serious as some of the SSL/TSL vulnerabilities that came before it, it's still presents a target in your environment. If you didn't already disable support for the protocol after the release of the BEAST attack tool in 2011, now is an ideal time to do so.


A collection of methods for disabling SSLv3 on various web servers and clients can be found below.




The information contained on the following link has not been validated by RSA, nor is there any implied support for the methods described. It is provided as a courtesy for inquisitive readers wanting to know more about how others are disabling the vulnerable protocol.





This thread will be updated as soon as we have finished  internal testing of the TLS parser update and it has been made available on Live.