This vulnerability allows a attacker to decrypt ciphertext using a padding oracle side-channel attack.
POODLE affects Secure Socket Layer (SSL) version 3.0. It does not affect Transport Layer Security (TLS).
To remediate this vulnerability SSL 3.0 should be disabled
To check if your server is vulnerable
follow the below steps
Make a script file say poodle.sh and copy the contents as seen below
#vi poodle.sh
#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect "${1-`hostname`}:${2-443}" -ssl3 2> /dev/null)
if echo "${ret}" | grep -q 'Protocol.*SSLv3'; then
if echo "${ret}" | grep -q 'Cipher.*0000'; then
echo "SSL 3.0 disabled"
else
echo "SSL 3.0 enabled"
fi
else
echo "SSL disabled or other error"
fisave and exit
wq!
give permissions for the poodle.sh file to execute
#chomd u+x poodle.sh
next run the command for vulnerability check
#./poodle.sh linuxbrainbox.com #note change linuxbrainbox.com with your server names.
you will get an output as
ssl 3.0 is enabled
if your server is vulnerable else you will get a output
ssl 3.0 is disabled
if your server is not vulnerable
if you see ssl 3.0 is enabled, follow the below steps
append the ssl.conf file for httpd service(443) with the below command .
sed -i ‘/^SSLProtocol/c\SSLProtocol ALL -SSLv2 -SSLv3’ /etc/httpd/conf.d/ssl.conf
and recheck to see the vulnerability is gone.