Vulnerabilities Addressed in OpenSSL 1.1.1l

Posted by James Cline

OpenSSL 1.1.1l was released yesterday, fixing CVE-2021-3711 and CVE-2021-3712.

We do not believe there was any impact from CVE-2021-3711 on the CDN, which is an exploit in OpenSSL’s implementation of SM2. OpenSSL does not provide support for SM2 in TLS, and we do not currently support its usage via other mechanisms.

Furthermore, we do not believe there was any impact from CVE-2021-3712, which requires OpenSSL users to construct the ASN1_STRING structure themselves without properly setting the length field. We do not create ASN1_STRINGs, and our only usage of them is when they are created by OpenSSL.

Out of an abundance of caution, we have globally deployed the fixes for these CVEs. Customers who use OpenSSL should apply the update, but no action is required by customers with regards to these CVEs on the CDN.

For more details on the changes included here, see the OpenSSL Changelog

If you have further questions about these developments or would like to learn more about our comprehensive suite of delivery and security solutions, contact us today.