how to test POODLE vulnerability for Jboss 7AS

Question

We were facing the POODLE vulnerability in Jboss 7AS and I am able to provide a fix to the same issue.

By adding protocol="TLSv1,TLSv1.1,TLSv1.2" attribute to the ssl tag in standalone.xml.

Source

Now I didn't know how I can test it. Can someone please let me know the way to test it?

Answer 1

Try the nmap poodle detector

https://nmap.org/nsedoc/scripts/ssl-poodle.html

From the summary

Checks whether SSLv3 CBC ciphers are allowed (POODLE)

Run with -sV to use Nmap's service scan to detect SSL/TLS on non-standard ports. Otherwise, ssl-poodle will only run on ports that are commonly used for SSL.

POODLE is CVE-2014-3566. All implementations of SSLv3 that accept CBC ciphersuites are vulnerable. For speed of detection, this script will stop after the first CBC ciphersuite is discovered. If you want to enumerate all CBC ciphersuites, you can use Nmap's own ssl-enum-ciphers to do a full audit of your TLS ciphersuites.

Answer 2

Poodle is a vulnerability that implicitly affects to SSLv3. Then for check it, you have a lot of ways to do it.

First way with nmap:

 $ nmap -sT -p443 --script ssl-poodle <target>

Second way with nmap:

 $ nmap -sT -p443 --script ssl-enum-ciphers <target>

If here you have SSLv3 ciphers then you are vulnerable.

Other way, with sslscan:

$ sslscan <domain>

Other way, with openssl:

$ openssl s_client -ssl3 -connect host:port

If connect, you are vulnerable

Other way, using SSL Test Server of Qualys.

And in Java, you can try to connect SSLv3, if the server accept your connection, then you are vulnerable.

System.setProperty("https.protocols", "SSLv3");

Set the protocol SSLv3 before the connection.