Subscribe to receive notifications of new posts:

OpenSSL Security Advisory of 19 March 2015

03/19/2015

1 min read

Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet). There has been advance notice that an announcement would be forthcoming, although the contents of the vulnerabilities were kept closely controlled and shared only with major operating system vendors until this notice.

Based on our analysis of the vulnerabilities and how CloudFlare uses the OpenSSL library, this batch of vulnerabilties primarily affects CloudFlare as a "Denial of Service" possibility (it can cause CloudFlare's proxy servers to crash), rather than as an information disclosure vulnerability. Customer traffic and customer SSL keys continue to be protected.

As is good security practice, we have quickly tested the patched version and begun a push to our production environment, to be completed within the hour. We encourage all customers to upgrade to the latest patched versions of OpenSSL on their own servers, particularly if they are using the 1.0.2 branch of the OpenSSL library.

The individual vulnerabilities included in this announcement are:

  • OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
  • Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
  • Multiblock corrupted pointer (CVE-2015-0290)
  • Segmentation fault in DTLSv1_listen (CVE-2015-0207)
  • Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
  • Segmentation fault for invalid PSS parameters (CVE-2015-0208)
  • ASN.1 structure reuse memory corruption (CVE-2015-0287)
  • PKCS7 NULL pointer dereferences (CVE-2015-0289)
  • Base64 decode (CVE-2015-0292)
  • DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
  • Empty CKE with client auth and DHE (CVE-2015-1787)
  • Handshake with unseeded PRNG (CVE-2015-0285)
  • Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
  • X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)

We thank the OpenSSL project and the individual vulnerability reporters for finding, disclosing, and remediating these problems. All software has bugs, sometimes security critical bugs, and having a good process for handling them once identified is a necessary part of the world of computer software.

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
BugsOpenSSLVulnerabilitiesSSL

Follow on X

Ryan Lackey|@octal
Cloudflare|@cloudflare

Related posts

November 29, 2018 9:54 AM

Know your SCM_RIGHTS

As TLS 1.3 was ratified earlier this year, I was recollecting how we got started with it here at Cloudflare. We made the decision to be early adopters of TLS 1.3 a little over two years ago. It was a very important decision, and we took it very seriously....