On Wednesday, 2014-08-06, the OpenSSL Project disclosed nine low- and moderate-severity vulnerabilities, with details published here.

These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.

We currently believe our services are not impacted by CVE-2014-3508, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, and CVE-2014-3512.

We are in the process of rolling out a fix to address vulnerabilities CVE-2014-3511 and CVE-2014-5139 for each of our relevant services.

Akamai is investigating the vulnerabilities further, and will provide additional communication if needed.

Some of the vulnerabilities, as outlined in the advisory, include:

• An information leak in pretty printing functions 
• A crash condition with SRP ciphersuite in Server Hello message 
• A race condition in ssl_parse_serverhello_tlsext 
• Double Free when processing DTLS packets 
• A DTLS memory exhaustion condition 
• DTLS memory leak from zero-length fragments 
• An OpenSSL DTLS anonymous EC(DH) denial of service 
• An OpenSSL TLS protocol downgrade attack

• A SRP buffer overrun