affects OMERO versions 5.0.5 and earlier

back to Advisories


The POODLE attack, also known as CVE-2014-3566 can make use of SSLv3 if enabled.


From the CVE: "The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the POODLE issue."

Affected Packages

All OMERO components (server, Java, Python, C++) prior to 5.0.6.


The POODLE attack is a man-in-the-middle and therefore "can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other". As with 2014-SV3-CSRF, only if a user can be convinced or tricked into opening an untrusted connection can the POODLE attack be used.

Due to the complexity of such an exploit, we do not consider this a critical security vulnerability.


Use 2014-SV4-poodle.patch to disable SSLv3.


All OMERO.servers should be upgraded to at least 5.0.6.

back to top