The Cloudflare Blog

Subscribe to receive notifications of new posts:

New OpenSSL vulnerabilities: CloudFlare systems patched

2014-06-05

John Graham-Cumming

1 min read

The OpenSSL team announced seven vulnerabilities covering OpenSSL 0.9.8, 1.0.0, 1.0.1 and 1.0.2 (i.e. all versions) earlier today.

The most serious of these is a potential on-path attack CVE-2014-0224 which is being referred to as CCS Injection. Both Google's Adam Langley and the original reporter of the problem have write ups that give more technical detail.

We have applied the required patch to all CloudFlare servers and customers are protected against CVE-2014-0224 and all the other vulnerabilities announced today.

Everyone who uses OpenSSL in their software or on their server should upgrade as soon as possible; the OpenSSL team has released new versions today.

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.

OpenSSL Vulnerabilities Reliability SSL

Follow on X

Cloudflare|@cloudflare

July 09, 2024 12:00 PM

RADIUS/UDP vulnerable to improved MD5 collision attack

The RADIUS protocol is commonly used to control administrative access to networking gear. Despite its importance, RADIUS hasn’t changed much in decades. We discuss an attack on RADIUS as a case study for why it’s important for legacy protocols to keep up with advancements in cryptography...

Vulnerabilities

June 26, 2024 8:23 PM

Automatically replacing polyfill.io links with Cloudflare’s mirror for a safer Internet

polyfill.io, a popular JavaScript library service, can no longer be trusted and should be removed from websites...

CDNJS, JavaScript, Vulnerabilities, Application Security, Application Services, Supply Chain Attacks, Attacks, Better Internet

May 30, 2024 1:00 PM

Disrupting FlyingYeti's campaign targeting Ukraine

In April and May 2024, Cloudforce One employed proactive defense measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine...

Cloudforce One

Cloud Email Security, Cloudflare Workers, Cloudforce One, CVE, Exploit, GitHub, Intrusion Detection, Malware, Microsoft, Phishing, Remote Browser Isolation, Russia, Serverless, Threat Data, Threat Intelligence, Threat Operations, Ukraine, Vulnerabilities

March 14, 2024 12:30 PM

Mitigating a token-length side-channel attack in our AI products

The Workers AI and AI Gateway team recently collaborated closely with security researchers at Ben Gurion University regarding a report submitted through our Public Bug Bounty program. Through this process, we discovered and fully patched a vulnerability affecting all LLM providers. Here’s the story...

Celso Martinho,
Michelle Chen

Bug Bounty, LLM, Vulnerabilities, Developer Platform, Workers AI, AI Gateway, SASE