Imperva Security Response for CVE-2014-0224

OpenSSL does not properly restrict processing of ChangeCipherSpec messages before version 0.9.8za, and in version 1.0.0 before 1.0.0m, and in version 1.0.1 before 1.0.1h.

Revision History
Date Comment
6/6/2014 Initial Version

Status Summary
  • Organizations can mitigate this vulnerability in their applications using Imperva SecureSphere WAF (See Protecting Applications below for details).
  • Only SecureSphere version 10.5 is impacted by this vulnerability. Exposure is limited to the WAF Gateway management port, which is not commonly exposed externally and is therefore considered as low risk. (See Affected Imperva Products below).

1) Protecting Applications:

Imperva customers can use SecureSphere WAF to protect vulnerable applications as follows:
  • When deployed in Kernel Reverse Proxy (KRP) mode, SecureSphere WAF automatically protects customer applications because SecureSphere controls the SSL connection.
  • When deployed in bridge mode, SecureSphere should be configured to block "SSL Untraceable Connection".
    • This method works in versions 9.5 and later.
    • The latest patch releases for version 9.0, 9.5, 10.0 & 10.5 – see below – provide better granularity when blocking SSL untraceable connections in bridge mode.
      • Note: After following the patch instructions and changing the file bootstrap.xml in the WAF appliance, only the SSL untraceable connection with protocol violations will be blocked (the ones with "ssl fatal error").
    • While there are no known exploits for this vulnerability, Imperva Application Defense Center (ADC) research indicates that “untraceable SSL connection” alerts with type “protocol violation” will be generated when an attempt is made to exploit this vulnerability. Additional investigation is being performed to ensure the above mitigation covers all scenarios.

Patches to mitigate affected applications using SecureSphere WAF are available now.

Patch for V9.0:
Patch for V9.5:
Patch for V10.0:
Patch for V10.5:
(Imperva Username and Credentials Required)

2) Affected Imperva Products:
  • SecureSphere Version 10.5
Not affected Imperva Products:
The following versions or products are not vulnerable:
  • SecureSphere 8.0, 8.5, 9.0, 9.5, 10.0, ThreatRadar Service


Only SecureSphere Web Application Firewall version 10.5 is vulnerable to this vulnerability on its management port. The risk of exploitation is low as best practices dictate that the management port is on a local or out-of-band network.

Vendor Fix

Imperva is currently evaluating various options to resolve the problem in version V10.5. We will provide further update and ETA for the fix on 6/9/14.

The patch for SecureSphere V10.5 is not currently available on the FTP Site. An ETA for this fix will be available on 06/09/2014.
(Imperva Username and Credentials Required)


Mitre CVE Listing: