The following advisory was written by CSIRT Manager Mike Kun:
We are aware of a newly-announced vulnerability found by Adam Langley and Brian Smith in some implementations of the TLS 1.x protocol that allows for a man-in-the-middle attack. This can result in insecure compromised transactions over TLS 1.x. For more details, read the original article.
What does this mean for Akamai?
The Akamai platform does not appear to be vulnerable to this threat. The mitigation Akamai implemented for the original POODLE attack appears to cover this attack.
What does this mean for Akamai Customers?
While Akamai does not appear to be vulnerable to this attack, simply using Akamai's platform will not protect you. Because this attack is a MITM (Man-in-the-middle), it is possible for an attacker to capture traffic between Akamai and a vulnerable origin and decrypt the traffic. Traffic passing between a end-user and Akamai will be secure, as Akamai EdgeServers are already patched against the original POODLE vulnerability.
At this time, this vulnerability has only been observed in some hardware devices that terminate SSL such as VPN concentrators or load balancers. Customers are strongly encouraged to check any devices that terminate SSL and verify their status, using this test. If vulnerable, remediate by applying a vendor-supplied patch as soon as possible.
Customers who have enabled SSLv3 are, of course, still vulnerable to the original POODLE attack.
Q: Can KONA be used to detect or prevent this attack?
A: This attack is effectively the POODLE vulnerability applied to TLS; as this is a transport protocol level vulnerability, Akamai's Kona does not detect or block this attack. Remediation is only available via a vendor patch.
A: We will maintain this blog with interesting news from Akamai. As there are new developments, if any, we will do our best to only deliver verified information, sacrificing frequency of updates for accuracy. For customer-specific information, Akamai customers are also encouraged to check their Luna Portal advisories or contact their account teams directly.