Staying ahead of OpenSSL vulnerabilities
On April 7, 2014, a vulnerability in OpenSSL 1.0.1 was announced, allowing attackers to reveal up to 64kB of memory to connected clients or servers (CVE-2014-0160). CloudFlare fixed this issue before it went public and all sites using their SSL service were automatically protected. OpenSSL is the core cryptographic library used by CloudFlare for SSL/TLS connections, with a large deployment on the internet. They encourage others running servers that use OpenSSL to upgrade to version 1.0.1g or recompile with the OPENSSL_NO_HEARTBEATS flag enabled for protection against this vulnerability. This bug fix exemplifies responsible disclosure, where stakeholders are given a chance to fix issues before public disclosure, helping keep the internet safe.
Company
Cloudflare
Date published
April 7, 2014
Author(s)
Nick Sullivan
Word count
281
Language
English
Hacker News points
None found.