Security Vulnerability Statements
Below are Hightail's official statements and assessments for security vulnerabilities deemed applicable to our systems and customers
CVE-2016-0800: DROWN attack
DROWN is an attack that exploits weaknesses in the older SSLv2 protocol, Hightail does not support SSLv2 on any customer-facing systems and therefore is not vulnerable.
CVE-2015-1793: Certificate Verification in OpenSSL
This is a certificate verification vulnerability affecting very new OpenSSL based clients. Hightail has reviewed OpenSSL versions in use on our systems and determined none to be vulnerable.
Customers using clients based on OpenSSL versions released after June 11th 2015 may be vulnerable and are encouraged to upgrade to the latest version if affected.
CVE-2014-4000, known as TLS Logjam, is a downgrade attack against DHE-EXPORT grade ciphers announced in May 2015. Hightail does not support DHE-EXPORT ciphers on any of its services and is therefore not vulnerable.
CVE-2015-0204, commonly known as the "FREAK" vulnerability, is an attack affecting browsers and servers that support weak SSL/TLS ciphers, announced in March of 2015. Hightail only supports strong SSL/TLS ciphers on our systems, and is not affected. Customers concerned about this vulnerability using Chrome or Internet Explorer are encouraged to upgrade to the latest versions, which disables use of weak "export-grade" SSL/TLS ciphers.
Poodle TLS version 1.0 Vulnerability
CVE-2014-8730, known as the Poodle for TLS 1.0, was announced in December of 2014. Hightail found some systems vulnerable and completed patching within 48 hours of the announcement. Customers concerned about this vulnerability using Safari version 6 or Internet Explorer version 8 are encouraged to upgrade to the latest versions, which will use the newer TLS 1.2 protocol.
Poodle SSL version 3 Vulnerability
TA14-268A, commonly known as "Poodle" is a vulnerably in the SSL protocol version 3, announced in October 2014. Hightail responded by disabling SSL version 3 support on our website, and will be phasing out SSL version 3 entirely by 2016. Customers concerned about this vulnerability using Internet Explorer 6 are encouraged to upgrade to the latest version, which will use the newer TLS protocol.
CVE-2014-6271, commonly called "ShellShock" is a vulnerability affecting Unix-based systems, announced in September 2014. Hightail determined a small number of our legacy systems could be affected, and completed patching within 24 hours of the announcement.
SSL Heartbleed Vulnerability
CVE-2014-0160, commonly called "Heartbleed", is a vulnerability affecting OpenSSL based products, announced in April of 2014. Hightail has conducted an audit of our systems and found them to not be vulnerable.