OpenSSL Security Advisory of 19 March 2015

1 minute read

Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet). There has been advance notice that an announcement would be forthcoming, although the contents of the vulnerabilities were kept closely controlled and shared only with major operating system vendors until this notice.

Based on our analysis of the vulnerabilities and how CloudFlare uses the OpenSSL library, this batch of vulnerabilties primarily affects CloudFlare as a "Denial of Service" possibility (it can cause CloudFlare's proxy servers to crash), rather than as an information disclosure vulnerability. Customer traffic and customer SSL keys continue to be protected.

As is good security practice, we have quickly tested the patched version and begun a push to our production environment, to be completed within the hour. We encourage all customers to upgrade to the latest patched versions of OpenSSL on their own servers, particularly if they are using the 1.0.2 branch of the OpenSSL library.

The individual vulnerabilities included in this announcement are:

  • OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
  • Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
  • Multiblock corrupted pointer (CVE-2015-0290)
  • Segmentation fault in DTLSv1_listen (CVE-2015-0207)
  • Segmentation fault in ASN1TYPEcmp (CVE-2015-0286)
  • Segmentation fault for invalid PSS parameters (CVE-2015-0208)
  • ASN.1 structure reuse memory corruption (CVE-2015-0287)
  • PKCS7 NULL pointer dereferences (CVE-2015-0289)
  • Base64 decode (CVE-2015-0292)
  • DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
  • Empty CKE with client auth and DHE (CVE-2015-1787)
  • Handshake with unseeded PRNG (CVE-2015-0285)
  • Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
  • X509toX509_REQ NULL pointer deref (CVE-2015-0288)

We thank the OpenSSL project and the individual vulnerability reporters for finding, disclosing, and remediating these problems. All software has bugs, sometimes security critical bugs, and having a good process for handling them once identified is a necessary part of the world of computer software.



Spotlight on Women in Cybersecurity

less than 1 minute read

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into workin...

Hacked Website Trend Report – 2018

less than 1 minute read

We are proud to be releasing our latest Hacked Website Trend Report for 2018. This report is based on data collected and analyzed by the GoDaddy Security / ...