On May 3, 2016, a new version of the OpenSSL library was released. The latest version (1.0.2h) addresses several security vulnerabilities, including two marked as “high” severity. To ensure our customers continue to get world-class security, we have updated Verizon Digital Media Services’ global CDN to use the latest version (1.0.2h) of the the OpenSSL library.

The following high-severity vulnerabilities have been addressed in version 1.0.2h:

1. Memory corruption in the ASN.1 encoder: This vulnerability, indexed as CVE-2016-2108, was found in the OpenSSL ASN.1 encoder. It can lead to memory corruption and allow attackers to execute malicious code on vulnerable machines. Applications that parse and re-code X.509 certificates are known to be vulnerable, and the vulnerability can be exploited using malformed digital certificates signed by trusted certificate authorities.
2. Padding oracle in AES-NI CBC MAC check: This vulnerability, indexed as CVE-2016-2107, can allow attackers to use padding oracle attacks to decrypt traffic when the connection uses an AES CBC cipher, and the server chipset supports AES-NI encryption.

For a complete list of the vulnerabilities addressed in the release, please see the OpenSSL Security Advisory: https://www.openssl.org/news/secadv/20160503.txt

To ensure comprehensive security of web applications, we advise our customers to upgrade their applications and origin infrastructure to use version 1.0.2h of the OpenSSL library. If you are using version 1.0.1, you are advised to upgrade to version 1.0.1t that was also released on May 3, 2016. Please note that OpenSSL will end the support for version 1.0.1 on December 31, 2016.

Dave Andrews, Sec.C Lead Engineer
Vikas Phonsa, Senior Product Manager — Security Solutions