Security Notice for June 5th OpenSSL Vulnerability Disclosure

Security Notice for June 5th OpenSSL Vulnerability Disclosure

Early Thursday, 5 June 2014, the OpenSSL team released an advisory detailing seven vulnerabilities affecting all maintained branches of OpenSSL.  Our engineering team responded to the disclosure early this morning and completed the upgrade of our public-facing production infrastructure at 3:30 PM PDT.

All our public endpoints are upgraded to protect against CVE-2014-0224 and the other vulnerabilities disclosed today.

In addition, the versions of OpenSSL shipped with our Twilio Client SDKs for iOS and Android are upgraded and available here:

• iOS 1.1.5
• Android 1.1.3

While we encourage our customers to upgrade to the latest versions of the Client SDKs as quickly as prudence demands, the upgrades to our public endpoints are sufficient to mitigate the vulnerability.  No Twilio Client apps are currently vulnerable.

Like the previous OpenSSL disclosure in April, we advise all our customers to upgrade the production hosts for their Twilio applications.  Patched versions of OpenSSL are available here or through your distribution’s package manager.

Further Resources For Help

For more information on this vulnerability, here are a few resources we found helpful:

• Original disclosure from the OpenSSL team
• Adam Langley’s analysis of the ChangeCipherSpec man-in-the-middle vulnerability.
• Masashi Kikuchi’s writeup on how he originally discovered the CCS vulnerability.

If you have any questions about this security notice, please reach out to our support team at help@twilio.com.