On Wednesday, 2014-08-06, the OpenSSL Project disclosed nine low- and moderate-severity vulnerabilities, with details published here.
These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.
We currently believe our services are not impacted by CVE-2014-3508, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, and CVE-2014-3512.
We are in the process of rolling out a fix to address vulnerabilities CVE-2014-3511 and CVE-2014-5139 for each of our relevant services.
Akamai is investigating the vulnerabilities further, and will provide additional communication if needed.
Some of the vulnerabilities, as outlined in the advisory, include:
- An information leak in pretty printing functions
- A crash condition with SRP ciphersuite in Server Hello message
- A race condition in ssl_parse_serverhello_tlsext
- Double Free when processing DTLS packets
- A DTLS memory exhaustion condition
- DTLS memory leak from zero-length fragments
- An OpenSSL DTLS anonymous EC(DH) denial of service
- An OpenSSL TLS protocol downgrade attack
A SRP buffer overrun