We’ve Moved

Please update your bookmarks. Support for PowerSchool Learning has moved to the new PowerSchool Community. Visit the PowerSchool Community to find answers in our knowledge base and participate in discussions.

 

How can we help?

Security Advisory - OpenSSL Security Advisory of 19 March 2015

Follow

Learning Security Advisory - OpenSSL Security Advisory of 19 March 2015

Release Date

2015-03-19

Last Update

2015-03-20

Solution Status

Patched

Description

The OpenSSL project announce multiple vulnerabilities in old versions of OpenSSL and also released patched versions of OpenSSL. The high risk vulnerabilities are:

  • CVE-2015-0291: a Denial of Service (DoS) exploit
  • CVE-2015-0204: a vulnerability that allowed attackers to downgrade SSL connections to use weaker, EXPORT_RSA, ciphers.  Once downgraded, the traffic is then susceptible to a man in the middle (MITM) attack.

Level

Moderate

Impact

Vulnerability to denial of service attacks

Allows unauthorized disclosure of information

Systems Affected

Haiku Learning, CloudFlare (our CDN provider)

Summary:

On March 19th, OpenSSL released an advisory regarding multiple a newly discovered vulnerabilities in OpenSSL, cryptographic library used by Haiku Learning, CloudFlare (our CDN provider), and most sites on the Internet. There has been advance notice that an announcement would be forthcoming, although the contents of the vulnerabilities were kept closely controlled and shared only with major operating system vendors until this notice.

Fortunately, neither Haiku Learning nor CloudFlare were affected by CVE-2015-0204, because we do not support the EXPORT_RSA cipher suites.

Haiku Learning servers are running a version of OpenSSL that is not affected by CVE-2015-0291 and therefore no upgrades were needed.

To address the remaining medium and low risk vulnerabilities, the Haiku Learning Security Team is upgrading all of our servers to the latest version of OpenSSL.

CloudFlare has also upgraded to the latest versions of OpenSSL in order to mitigate all of the announced vulnerabilities.

Status:

  • Haiku Learning systems are patched as of 2015-03-19.
  • All CloudFlare systems are patched as of 2015-03-19.
Powered by Zendesk