February 3, 2016

Security Update: Protecting CDN Customers Against OpenSSL Vulnerabilities (CVE-2016-0701, CVE-2015-3197 and CVE-2015-4000)

security-patches2On Jan 28, 2016, OpenSSL released three patches to address security vulnerabilities and improve security functionality.

In keeping with our commitment to provide world-class security to our customers, we have updated Verizon Digital Media Services’ global CDN to use the latest patched version (1.0.2f) of the OpenSSL library.

The three patches released by OpenSSL address the following vulnerabilities:

  1. The first, and most important, patch in the release fixes a severe vulnerability that can be exploited to obtain the encryption keys and decrypt the data exchanged over HTTPS and other Transport Layer Security (TLS) channels. Applications using Digital Signature Algorithm to generate ephemeral keys based on the Diffie-Hellman (DH) key exchange are impacted by this vulnerability. CVE-2016-0701 has been assigned to the vulnerability and affects version 1.0.2 of OpenSSL.
  2. The second patch addresses a low-severity vulnerability that can allow malicious clients to negotiate SSLv2 ciphers and complete the SSLv2 handshake, even if all SSLv2 ciphers have been disabled on a server. This vulnerability has been assigned CVE-2015-3197 and affects versions 1.0.1 and 1.0.2 of OpenSSL. Verizon’s CDN network is not impacted by this vulnerability because SSLv2 is disabled on our network.
  3. Finally, with this release, OpenSSL has improved the protection against Logjam vulnerability (CVE-2015-4000) by increasing the limit of DH parameters required for TLS handshakes to 1024 bits. This patch affects versions 1.0.1 and 1.0.2 of OpenSSL.

For comprehensive protection, customers using version 1.0.1 of OpenSSL library in their applications are advised to upgrade to version 1.0.1r, and those using version 1.0.2 are advised to upgrade to version 1.0.2f. Verizon’s global CDN has been updated to use version 1.0.2f of the OpenSSL library to take advantage of all three patches.

For more information on the vulnerabilities, see the OpenSSL Security Advisory: https://www.openssl.org/news/secadv/20160128.txt

Dave Andrews, Sec.C Lead Engineer
Vikas Phonsa, Senior Product Manager – Security Solutions.