POODLE: SSLv3 vulnerability (CVE-2014-3566)

There is a new vulnerability found in the SSL 3.0 protocol,  All implementations of SSL 3.0 are affected.

Red Hat CVE CVE-2014-3566

What Is POODLE Vulnerability?

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt the Cipher-text using a padding oracle side-channel attack. More details are available in the OpenSSL advisory.

POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.0. It does not affect the newer encryption mechanism known as Transport Socket Layer (TLS).

SSL certificates are not effected. Ie,  you don’t need to reissue your certificate even if you found your server as vulnerable.


To mitigate this vulnerability SSL 3.0 should be disabled in all affected packages.

Determining Vulnerability

Run the Following Script from your server. If you get SSL 3.0 enabled – VULNERABLE. 

You are safe, If you get SSL 3.0 enabled – Not vulnerable,

ret=$(echo Q | timeout 5 openssl s_client -connect "$1:${2-443}" -ssl3 2> /dev/null)
if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
if echo "${ret}" | grep -q 'Cipher.*0000'; then
echo "SSL 3.0 disabled - $1 Not Vulnerable"
echo "SSL 3.0 enabled - $1 VULNERABLE"
echo "SSL disabled or other error"

Usage : poodle.sh www.exampe.com

Redhat Customers can use the Online tool From Red Hat labs.


Disable SSLv2 and SSLv3 (Enable everything except SSLv2 and SSLv3), in httpd.conf

SSLProtocol All -SSLv2 -SSLv3

Restart httpd Service

# service httpd restart



Red Hat Article – POODLE SSLv3 vulnerability