QID 38603: POODLE - SSLv3 Padding Oracle Attack Information Disclosure Vulnerability

Document created by Bernie Weidel Employee on Nov 5, 2014Last modified by Robert Dell'Immagine on Nov 5, 2014
Version 4Show Document
  • View in full screen mode

QID 38603 : SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE) is reported based on SSLv3 being detected as enabled. The full recommended solution for QID 38603 is to disable SSLv3, and use TLSv1.1 or later. If an upgrade to TLS is not currently feasible, a short term mitigation for QID 38603 would be to avoid using CBC suites within SSLv3, and instead rely on RC4 suites. (Note that RC4 also has some current insecurities, and so the full update to TLSv1.1 or later is strongly recommended)

 

You can leverage the free Qualys SSL Labs tool https://www.ssllabs.com/ to run a quick SSL Test and confirm if your system is fully vulnerable, or if the risk has been ‘mitigated’ by removing CBC from SSLv3. In such cases this can be approved as a PCI False Positive Request.

Attachments

    Outcomes