Security is of the utmost importance to us here at Kinsta. That is one reason why we recently launched two-factor authentication to secure your Kinsta accounts. Over the past week there have been some serious OpenSSL security vulnerabilities and we want to let you know that we have been patching our NGINX servers and load balancers, upgrading OpenSSL to the latest version, as soon as it becomes available to us.
OpenSSL is an open source project and cryptography library that provides a toolkit for TLS and SSL protocols. We use the OpenSSL library, which is required by NGINX SSL modules to support the HTTPS protocol. NGINX is also open source and is what we use to power our web servers and your WordPress sites.
OpenSSL Security Vulnerabilities
We are constantly monitoring security updates and have notifications in place to let us know when they arise. Last week the OpenSSL project announced that over a dozen vulnerabilities were patched.
CVE-2016-6304 [High Severity] 22nd September 2016
The most important was CVE-2016-6304, classified as high severity. We patched out NGINX servers and load balancers the same day and upgraded to the latest version of OpenSSL, 1.1.0a.
OCSP Status Request extension unbounded memory growth (OpenSSL.org)
A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the “no-ocsp” build time option are not affected.
The vulnerability was reported by Shi Lei, a researcher at a Chinese security firm, Qihoo 360.
CVE-2016-6309 [Critical Severity] 26th September 2016
Earlier this morning, another critical severity warning was announced by the OpenSSL team which affects the latest 1.1.0a release which we had just recently upgraded to last week. So again we have patched NGINX servers to latest OpenSSL version, 1.1.0b, which addresses the security issue below.
Fix Use After Free for large message sizes (OpenSSL.org)
The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code.
You can rest assured that we are always on top of these OpenSSL security vulnerabilities and patch as soon as they come out.