Akamai Diversity

The Akamai Blog

OpenSSL Vulnerabilities

On Wednesday, 2014-08-06, the OpenSSL Project disclosed nine low- and moderate-severity vulnerabilities, with details published here.

These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.

We currently believe our services are not impacted by CVE-2014-3508, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, and CVE-2014-3512.

We are in the process of rolling out a fix to address vulnerabilities CVE-2014-3511 and CVE-2014-5139 for each of our relevant services.

Akamai is investigating the vulnerabilities further, and will provide additional communication if needed.

Some of the vulnerabilities, as outlined in the advisory, include:

  • An information leak in pretty printing functions 
  • A crash condition with SRP ciphersuite in Server Hello message 
  • A race condition in ssl_parse_serverhello_tlsext 
  • Double Free when processing DTLS packets 
  • A DTLS memory exhaustion condition 
  • DTLS memory leak from zero-length fragments 
  • An OpenSSL DTLS anonymous EC(DH) denial of service 
  • An OpenSSL TLS protocol downgrade attack
  • A SRP buffer overrun