OpenSSL Vulnerabilities: CVE-2014-0224, CVE-2014-0195

OpenSSL Vulnerabilities CVE-2014-0224, CVE-2014-0195


On June 5th, security researchers announced multiple newly discovered vulnerabilities in OpenSSL, as detailed in the articles below: 


This vulnerability relates to DTLS; which runs over UDP and does not relate to ordinary web browser traffic. RedShield Cloud protected web applications are not affected by this vulnerability.   



The description of CVE-2014-0224 is as follows: 

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. (CVE-2014-0224)


Please see below for statements relating to RedShield customers: 

RedShield Cloud Customers: 

RedShield Cloud protected applications are not affected by either CVE-2014-0224 or CVE-2014-0195. 

RedShield On-Premise Customers:

All RedShield On-Premise customers running vulnerable versions of F5 software have been notified. A statement from F5 Networks may be found here:


If you require further information on this, or any other vulnerability which may potentially affect your systems; please open a support case with RedShield.


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request