Protocol vulnerability affecting OMERO versions up to and including 5.0.5.
The POODLE attack, also known as CVE-2014-3566 can make use of SSLv3 if enabled.
From the CVE: "The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the POODLE issue."
All OMERO components (server, Java, Python, C++) prior to 5.0.6.
The POODLE attack is a man-in-the-middle and therefore "can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other". As with 2014-SV3-CSRF, only if a user can be convinced or tricked into opening an untrusted connection can the POODLE attack be used.
Due to the complexity of such an exploit, we do not consider this a critical security vulnerability.
Use the provided patch to disable SSLv3:
All OMERO.server users should upgrade to at least 5.0.6: