Follow

OpenSSL Vulnerabilities: CVE-2014-0224, CVE-2014-0195

OpenSSL Vulnerabilities CVE-2014-0224, CVE-2014-0195

 

On June 5th, security researchers announced multiple newly discovered vulnerabilities in OpenSSL, as detailed in the articles below: 

CVE-2014-0195

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0195

This vulnerability relates to DTLS; which runs over UDP and does not relate to ordinary web browser traffic. RedShield Cloud protected web applications are not affected by this vulnerability.   

 

CVE-2014-0224

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224

The description of CVE-2014-0224 is as follows: 

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. (CVE-2014-0224)

 

Please see below for statements relating to RedShield customers: 

RedShield Cloud Customers: 

RedShield Cloud protected applications are not affected by either CVE-2014-0224 or CVE-2014-0195. 

RedShield On-Premise Customers:

All RedShield On-Premise customers running vulnerable versions of F5 software have been notified. A statement from F5 Networks may be found here:

http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15325.html

 

If you require further information on this, or any other vulnerability which may potentially affect your systems; please open a support case with RedShield.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments