On July 9, 2015, OpenSSL issued a security advisory (https://www.openssl.org/news/secadv_20150709.txt) to announce a critical certificate validation vulnerability in the popular OpenSSL software.
The vulnerability allows attackers to bypass certain checks in the TLS/SSL certificate verification process and have a leaf certificate appear as a Certificate Authority (CA). If attackers can act like a CA, they can issue forged certificates for websites. As a result, they can intercept TLS/SSL connections between vulnerable user applications and websites by impersonating the website. This would also allow attackers to view or modify the data exchanged between the two.
According to the advisory, “This issue will impact any application that verifies certificates, including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.”
This vulnerability affects versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o of the OpenSSL software library.
Verizon has fully patched all our CDN edge servers to protect against this latest OpenSSL vulnerability. We advise our customers, who use OpenSSL in their origin infrastructure, to review the vulnerability and upgrade their software to ensure comprehensive protection for their websites. OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d, and OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p.