POODLE

This article is about the security vulnerability. For the dog breed, see poodle.

POODLE
CVE identifier(s)CVE-2014-3566
Date discoveredOctober 14, 2014; 10 years ago (2014-10-14)
DiscovererBodo Möller, Thai Duong, Krzysztof Kotowicz (Google Security Team)
Affected softwareAny software that uses or supports a fallback to SSL 3.0

POODLE (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a security vulnerability which takes advantage of the fallback to SSL 3.0.[1][2][3] If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014"[1]).[4] On December 8, 2014, a variation of the POODLE vulnerability that affected TLS was announced.[5]

The CVE-ID associated with the original POODLE attack is CVE-2014-3566. F5 Networks filed for CVE-2014-8730 as well, see POODLE attack against TLS section below.

  1. ^ a b Möller, Bodo; Duong, Thai; Kotowicz, Krzysztof (September 2014). "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (PDF).
  2. ^ Bright, Peter (October 15, 2014). "SSL broken, again in POODLE attack". Ars Technica.
  3. ^ Brandom, Russell (October 14, 2014). "Google researchers reveal new Poodle bug, putting the web on alert".
  4. ^ "Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback". Google Online Security Blog. Retrieved June 1, 2015.
  5. ^ Langley, Adam (December 8, 2014). "The POODLE bites again". Retrieved December 8, 2014.