Contact us:

Padding Oracle On Downgraded Legacy Encryption (POODLE)

Author: HollyGraceful    Published: 25 October 2022    Last Updated: 03 November 2022

Padding Oracle On Downgraded Legacy Encryption (POODLE) is an attack against SSLv3.0. It exploits two aspects of SSLv3.0. The first aspect involves an attacker performing an interception attack and modify network traffic between a client and server, downgrading the connection to SSLv3.0. The second aspect is a padding oracle issue with block ciphers in cipher-block chaining mode in SSLv3.0 which allows an attacker to decrypt small amounts of ciphertext within messages, such as session tokens and confidential cookie values.

This issue is due to a flaw in the SSL specification which did not specify what content the padding should have, and therefore it cannot be verified by a specific implementation. As this is an issue with the specification it is not the case that it can be fixed via a software patch. That said, SSL has been deprecated for a long time, and has been superseded by Transport Layer Security (TLS) and therefore all version of SSL should simple be disabled.

It is recommended that:

  • All version of SSL are disabled



A very similar Padding-oracle vulnerability was found in some TLS implementations. Within the TLS specification the content of the padding is specified, and the padding should be validated. However, some implementations failed to correctly perform this validation opening up a POODLE style attack. In the case of TLS Poodle this is an implementation-specific issue and can be fixed via software update.

To differentiate between these two issues the former is often referred to as “SSL Poodle” and the later “TLS Poodle”, however it should be noted that whilst all implementations of SSL are vulnerable to the same issue (CVE-2014-3566), each vulnerable TLS implementation is a separate issue and should be referred to by separate CVE-IDs. For example, TLS POODLE within F5 products is CVE-2014-8730. That said, vendors have often neglected to do this, for example Cisco uses the ID CVE-2014-8730 within their own documentation even though that ID should be restricted to F5 products.

It is recommended that:

  • Vulnerable TLS implementations are updated.

Article Tags

SSL/TLS Vulnerabilities