A bug was discovered in the widely used Secure Socket Layer (SSL) v 3.0 cryptography protocol, also known as SSL v 3.0 (SSLv3). Systems and applications using SSL v 3.0 with Cipher Block Chaining (CBC) mode ciphers are at risk. This flaw was discovered by researchers at Google and they described how this flaw can be exploited by a method they called Padding Oracle On Downgraded Legacy Encryption (POODLE) attack.
While the SSLv3 protocol is flawed, SSL certificates and their private key are fine. SSL certificates are not affected and do not need replacing.
SSLv3 is an older protocol that was introduce in around 1995 and has been replaced by Transport Layer Security (TLS), TLS v 1.0, TLS v 1.1, and TLS v 1.2. Even though SSLv3 is old, it is still supported by most internet browsers, servers and systems using OpenSSL. In most cases, systems that support TLS will fall back or downgrade to SSLv3 as the need arises. When a secure connection fails, most servers will downgrade to an older protocol such as SSLv3.
One possible attack scenario is where an attacker controls the network between the client computer and the server. They could manipulate the handshake used by the cryptography protocol to force the server into a so called “protocol downgrade dance”. The idea is to get the systems involved to use the older SSLv3 protocol to secure data being sent. The attackers could then exploit the bug with man-in-the-middle (MITM) attack to compromise secure cookies, which could lead to information thief or illegal access and control of a victim’s accounts.
Currently there is no fix for this vulnerability in SSLv3, the flaw is fundamental to the protocol of SSLv3. The solution is to disable the browers's usage of SSLv3 and SSLv2 if possible or using a browser version with SSLv3 removed. Researchers are also recommending patching servers and appliances with TLS_FALLBACK_SCSV, a protocol extension that prevents MITM attackers from being able to force a protocol downgrade.
This SSLv3 vulnerability is covered in the National Vulnerability DatabaseCVE-2014-3566?