OpenSSL Vulnerabilities CVE-2014-0224, CVE-2014-0195
On June 5th, security researchers announced multiple newly discovered vulnerabilities in OpenSSL, as detailed in the articles below:
CVE-2014-0195
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0195
This vulnerability relates to DTLS; which runs over UDP and does not relate to ordinary web browser traffic. RedShield Cloud protected web applications are not affected by this vulnerability.
CVE-2014-0224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
The description of CVE-2014-0224 is as follows:
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. (CVE-2014-0224)
Please see below for statements relating to RedShield customers:
RedShield Cloud Customers:
RedShield Cloud protected applications are not affected by either CVE-2014-0224 or CVE-2014-0195.
RedShield On-Premise Customers:
All RedShield On-Premise customers running vulnerable versions of F5 software have been notified. A statement from F5 Networks may be found here:
http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15325.html
If you require further information on this, or any other vulnerability which may potentially affect your systems; please open a support case with RedShield.
Comments