The Secure Socket Tunneling Protocol is a VPN protocol developed by Microsoft. It sends traffic over an SSL version 3 connection.
Since SSlv3 is vulnerable to the POODLE attack, does this mean that SSTP trafic is vulerable? This answer says that:
The main and about only plausible scenario where [the conditions required for the attack] are met is a Web context
but would this include web browsing over an SSTP VPN?
I suspect that it's not realistically possible to use this exploit against SSTP. According to that answer, the attacker needs to be able to do two things in order to be able to exploit this vulnerability:
The reason that the answer says:
The main and about only plausible scenario where such conditions are met is a Web context: the attacker runs a fake WiFi access point, and injects some Javascript of their own as part of a Web page
is that you need access to the data both before and after it's encrypted. Javascript in a browser is perfect for this as you can actually form the malicious request and send it all in your own execution context.
The only way to do this in the context of SSTP would be to have some kind of compromised access to the windows machine that was trying to initiate the SSTP connection, and if you're in that situation you have far greater problems to worry about!
TL:DR The POODLE vulnerability needs some specific circumstances to be exploited, which are not provided by the standard use case of an SSTP VPN.
The answer is yes because SSTP also relies on SSL3.0, so nothing, apart from disabling SSL3.0 from both client and server sides, prevents this session to be hijacked by an attacker and thus sensitive information might be disclosed. Also SSTP, as far as I know, is not standardized yet so this may cause problems when it comes to interoperability. By the time of its creation, Microsoft said SSTP is only a tunneling protocol (not an SSL VPN).