GlobalSign Blog

POODLE Vulnerability Expands Beyond SSLv3 to TLS 1.0 and 1.1

POODLE Vulnerability Expands Beyond SSLv3 to TLS 1.0 and 1.1

When we first reported on the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability in October, it was believed to only affect the SSLv3 protocol. However, the vulnerability, which could allow hackers to intercept and decrypt traffic between a user's browser and an SSL-secured website, has now been extended to certain TLS 1.0 and TLS 1.1 implementations

The vulnerability affects implementations of TLS that don't properly check the structure of the padding used in TLS packets. So far, the vulnerabilities have been found with sites using load balancers from F5 Networks and A10 networks to handle the TLS connections. Check out Google security engineer Adam Langley's post for more technical insight.

What should I do?

1. Check if your server is vulnerable by using the Qualys SSL Labs SSL Server test. If your server is vulnerable, you will receive an 'F' rating and the message, "This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F."

poodle-vulnerability-check

Qualys SSL Server Test results for POODLE TLS vulnerability.

You can also find a list of affected F5 and A10 versions on our support page.

2. Apply the patch provided by your vendor. F5's are here; A10's are here. We'll add other affected vendors as they are announced.

Note: This vulnerability does not affect the SSL Certificates themselves. There is no need to resissue, renew, or reinstall any certificates at this time.

We'll update this post with more information as it is released.

Share this Post

Recent Blogs

  • Resolving the Conflict Between Availability and Security in IT

    Aug 18, 2022

    Operations teams have availability as a priority, whereas security teams are solely focused on creating a secure environment. As a result, there is often conflict between operations and security. Explore how to resolve the conflict.

  • 10 Tips for Hiring and Retaining IT Employees

    Aug 17, 2022

    As the saying goes, "people are your most important asset." This is especially true in the field of information technology (IT), where a company's ability to hire and retain top talent can be the difference between success and failure. Here are 10 ways companies can hire and retain top IT talent.

  • Cybersecurity News Round-Up: Week of August 8, 2022

    Aug 12, 2022

    The UK feeling pained following a ransomware attack on the NHS, 18 tech & cyber companies launch new security standard for sharing cybersecurity information