OpenSSL Security Advisory of 19 March 2015

On March 19, 2015, multiple vulnerabilities were discovered in OpenSSL, a cryptographic library used by CloudFlare and most websites on the internet. The vulnerabilities primarily affect CloudFlare as a "Denial of Service" possibility rather than an information disclosure vulnerability. Customer traffic and SSL keys remain protected. CloudFlare has quickly tested the patched version and begun pushing it to their production environment. They encourage customers to upgrade to the latest patched versions of OpenSSL on their own servers, particularly if they are using the 1.0.2 branch of the library. The individual vulnerabilities included in this announcement are: CVE-2015-0291, CVE-2015-0204, CVE-2015-0290, CVE-2015-0207, CVE-2015-0286, CVE-2015-0208, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787, CVE-2015-0285, CVE-2015-0209, and CVE-2015-0288. CloudFlare thanks the OpenSSL project and individual vulnerability reporters for their work in finding, disclosing, and remediating these issues.