Akamai Diversity

The Akamai Blog

OpenSSL Vulnerability (CVE-2015-1793)

Akamai is aware of the OpenSSL vulnerability addressed in OpenSSL versions 1.0.2d and 1.0.1p on Thursday, July 9, 2015. Akamai does not use the vulnerable versions of OpenSSL and is therefore not affected.

The OpenSSL team advisory outlines the vulnerability and fixes. The advisory states:

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue impacts any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

The vulnerability was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project, and released by OpenSSL on July 9th, 2015.

Though Akamai is not affected, we recommend that if you run OpenSSL in your origin infrastructure, you consult your security advisory team to review the vulnerability and upgrade your software and/or address the vulnerability as necessary.

If you have any questions or concerns regarding this vulnerability and your Akamai services, please use our Community post dedicated to the subject. You may also contact your Akamai Representative, or call Customer Care at 1.877.4.AKATEC or 1.617.444.4699.