Subscribe to receive notifications of new posts:

OpenSSL Security Advisory of 19 March 2015

2015-03-19

1 min read

Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet). There has been advance notice that an announcement would be forthcoming, although the contents of the vulnerabilities were kept closely controlled and shared only with major operating system vendors until this notice.

Based on our analysis of the vulnerabilities and how CloudFlare uses the OpenSSL library, this batch of vulnerabilties primarily affects CloudFlare as a "Denial of Service" possibility (it can cause CloudFlare's proxy servers to crash), rather than as an information disclosure vulnerability. Customer traffic and customer SSL keys continue to be protected.

As is good security practice, we have quickly tested the patched version and begun a push to our production environment, to be completed within the hour. We encourage all customers to upgrade to the latest patched versions of OpenSSL on their own servers, particularly if they are using the 1.0.2 branch of the OpenSSL library.

The individual vulnerabilities included in this announcement are:

  • OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)

  • Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)

  • Multiblock corrupted pointer (CVE-2015-0290)

  • Segmentation fault in DTLSv1_listen (CVE-2015-0207)

  • Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)

  • Segmentation fault for invalid PSS parameters (CVE-2015-0208)

  • ASN.1 structure reuse memory corruption (CVE-2015-0287)

  • PKCS7 NULL pointer dereferences (CVE-2015-0289)

  • Base64 decode (CVE-2015-0292)

  • DoS via reachable assert in SSLv2 servers (CVE-2015-0293)

  • Empty CKE with client auth and DHE (CVE-2015-1787)

  • Handshake with unseeded PRNG (CVE-2015-0285)

  • Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)

  • X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)

We thank the OpenSSL project and the individual vulnerability reporters for finding, disclosing, and remediating these problems. All software has bugs, sometimes security critical bugs, and having a good process for handling them once identified is a necessary part of the world of computer software.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
BugsOpenSSLVulnerabilitiesSSL

Follow on X

Ryan Lackey|@octal
Cloudflare|@cloudflare

Related posts

September 19, 2024 2:00 PM

How Cloudflare is helping domain owners with the upcoming Entrust CA distrust by Chrome and Mozilla

Chrome and Mozilla will stop trusting Entrust’s public TLS certificates issued after November 2024 due to concerns about Entrust’s compliance with security standards. In response, Entrust is partnering with SSL.com to continue providing trusted certificates. Cloudflare will support SSL.com as a CA, simplifying certificate management for customers using Entrust by automating issuance and renewals....

July 09, 2024 12:00 PM

RADIUS/UDP vulnerable to improved MD5 collision attack

The RADIUS protocol is commonly used to control administrative access to networking gear. Despite its importance, RADIUS hasn’t changed much in decades. We discuss an attack on RADIUS as a case study for why it’s important for legacy protocols to keep up with advancements in cryptography...