Earlier today, The OpenSSL Project released an update to address a number of security flaws, including a new vulnerability classified as ‘high’ severity. The versions of OpenSSL to be patched are 1.0.2, 1.0.1, 1.0.0 and 0.9.8. The high-severity vulnerability exists only in v1.0.2, according to the advisory.
This new high-severity vulnerability could be exploited to launch a denial-of-service attack against a server by renegotiating an SSL connection with an invalid signature algorithm extension.
Incapsula is not using v1.0.2 of OpenSSL and as a result the new OpenSSL vulnerability has no impact on our network.
Moreover, since Incapsula terminates all SSL connections before passing them to origin servers, all Incapsula-protected domains are also secured by default, even before applying the patch on their end.
It should also be noted that, in this patch, OpenSSL modified the severity score of an already known vulnerability (CVE-2015-0204), upgrading it from ‘low’ to ‘high’.
This change also doesn’t affect Incapsula clients, as we’ve already patched this security flaw when it was first disclosed several months ago.
Incapsula’s team is aware of all disclosed vulnerabilities and is closely following all announcements from the OpenSSL team.
We will apply the new patch to to keep our OpenSSL version up-to-date, as soon it becomes available.