Cloudflare is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786

Cloudflare is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786
Cloudflare is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786

Yesterday, November 1, 2022, OpenSSL released version 3.0.7 to patch CVE-2022-3602 and CVE-2022-3786, two HIGH risk vulnerabilities in the OpenSSL 3.0.x cryptographic library. Cloudflare is not affected by these vulnerabilities because we use BoringSSL in our products.

These vulnerabilities are memory corruption issues, in which attackers may be able to execute arbitrary code on a victim’s machine. CVE-2022-3602 was initially announced as a CRITICAL severity vulnerability, but it was downgraded to HIGH because it was deemed difficult to exploit with remote code execution (RCE). Unlike previous situations where users of OpenSSL were almost universally vulnerable, software that is using other versions of OpenSSL (like 1.1.1) are not vulnerable to this attack.

How do these issues affect clients and servers?

These vulnerabilities reside in the code responsible for X.509 certificate verification - most often executed on the client side to authenticate the server and the certificate presented. In order to be impacted by this vulnerability the victim (client or server) needs a few conditions to be true:

  • A malicious certificate needs to be signed by a Certificate Authority that the victim trusts.
  • The victim needs to validate the malicious certificate or ignore a Continue reading

Scalability Aspects of SR-MPLS

Henk Smit left a wonderful comment discussing various scalability aspects of SR-MPLS. Let’s go through the points he made:

When you have a thousand routers in your networks, you can put all of them in one (IS-IS) area. Maybe with 2k routers as well. But when you have several thousand routers, you want to use areas, if only to limit the blast-radius.

Absolutely agree, and as RFC 3439 explained in more eloquent terms than I ever could:

Read more …

Scalability Aspects of SR-MPLS

Henk Smit left a wonderful comment discussing various scalability aspects of SR-MPLS. Let’s go through the points he made:

When you have a thousand routers in your networks, you can put all of them in one (IS-IS) area. Maybe with 2k routers as well. But when you have several thousand routers, you want to use areas, if only to limit the blast-radius.

Absolutely agree, and as RFC 3439 explained in more eloquent terms than I ever could:

Read more …

Comparing QUIC and TCP

QUIC could be seen as a simple update to TCP, but I think that such a vew is missing the point of QUIC. QUIC represents a significant shift in the set of transport capabilities available to applications in terms of communication privacy, session control integrity and flexibility.

Ubuntu 20.04 image for EVE-NG – Python for Network Engineers

This is an identical copy of my Ubuntu 20.04 PFNE Docker image, developed to be imported and used on EVE-NG (works also on the Community edition because it doesn’t need Docker support). It contains all necessary tools for network engineers to test automation and learn Python. If you think a tool would be suitable to … Continue reading Ubuntu 20.04 image for EVE-NG – Python for Network Engineers

NetApp unifies its storage offerings under a new BlueXP roof

NetApp announced Tuesday that its on-premises and cloud storage offerings are now unified under the umbrella of a single platform, called BlueXP, which serves as a control plane for each of its products and simplifies the management of enterprise storage for organizations.BlueXP—which is a free upgrade for its customers—is a reaction to the reality that more and more companies’ storage environments are hybrids these days, combining cloud and on-premises storage, according to NetApp. Businesses of almost any size that have been in operation for more than a decade or so are, more often than not, involved in digital transformation efforts that move at various paces, said company senior vice president and general manager for cloud storage Ronen Schwartz.To read this article in full, please click here

NetApp unifies its storage offerings under a new BlueXP roof

NetApp announced Tuesday that its on-premises and cloud storage offerings are now unified under the umbrella of a single platform, called BlueXP, which serves as a control plane for each of its products and simplifies the management of enterprise storage for organizations.BlueXP—which is a free upgrade for its customers—is a reaction to the reality that more and more companies’ storage environments are hybrids these days, combining cloud and on-premises storage, according to NetApp. Businesses of almost any size that have been in operation for more than a decade or so are, more often than not, involved in digital transformation efforts that move at various paces, said company senior vice president and general manager for cloud storage Ronen Schwartz.To read this article in full, please click here

Hyperscalers And Clouds Lift Arista Networks Sky High

A massive buildout of infrastructure is happening within the datacenter walls of at least several of the hyperscalers and large clouds in the world if the financial results of Arista Networks, the upstart switch maker that has been taking on Cisco Systems in the datacenter with machines based on merchant silicon for more than a decade.

Hyperscalers And Clouds Lift Arista Networks Sky High was written by Timothy Prickett Morgan at The Next Platform.

Cisco adds a firewall, upgrades security

Security is the name of the game at Cisco’s Partner Summit gathering this week with the rollout of a new firewall and added data-loss prevention (DLP) and passwordless authentication features to its security wares. On the firewall front, Cisco announced the Secure Firewall 3105 it says is built specifically for hybrid workers and small branch offices. Available early next year, the 1U 3105 supports 10Gbps throughput, 7Gbps IPSec throughput and 3,000 VPN peers. The box is the new low-end for the Secure Firewall 3100 family, including the 3110, 3120, 3130 and the high-end 3140, which supports 45Gbps throughput.To read this article in full, please click here

Cisco adds a firewall, upgrades security

Security is the name of the game at Cisco’s Partner Summit gathering this week with the rollout of a new firewall and added data-loss prevention (DLP) and passwordless authentication features to its security wares. On the firewall front, Cisco announced the Secure Firewall 3105 it says is built specifically for hybrid workers and small branch offices. Available early next year, the 1U 3105 supports 10Gbps throughput, 7Gbps IPSec throughput and 3,000 VPN peers. The box is the new low-end for the Secure Firewall 3100 family, including the 3110, 3120, 3130 and the high-end 3140, which supports 45Gbps throughput.To read this article in full, please click here

Getting started with EKS and Calico

Cloud-native applications offer a lot of flexibility and scalability, but to leverage these advantages, we must create and deploy a suitable environment that will enable cloud-native applications to work their magic.

Managed services, self-managed services, and bare metal are three primary categories of Kubernetes deployment in a cloud environment. Our focus in this article will be on Amazon Web Service’s (AWS) managed Kubernetes service, Elastic Kubernetes Service (EKS), and capabilities that Calico Open Source adds to the EKS platform.

Managed services

A managed cluster is a quick and easy way to deploy an enterprise-grade Kubernetes cluster. In a managed cluster, mundane operations such as provisioning new nodes, upgrading the OS/Kubernetes, and scaling resources are transferred to the cloud provider, which allows you to expand your application with ease.

EKS is a managed service by AWS that offers a fault-tolerant Kubernetes control plane endpoint and automates worker node maintenance and deployment process.

Comparing popular CNI options in EKS

Most popular managed services, such as EKS, come with an official CNI that offers networking and other features for your cluster. While these CNIs are highly integrated with the underlying system, they can introduce some limitations. To remedy these limitations and unlock the Continue reading

who me?

This blog is to share knowledge and experiences I come across within the trials and tribulations of networking and automation. As we all know the Internet is built on plagiarism. I do try and mention any sources I use, but if I do miss you out please don’t get offended, feel less important or come after me. Plagiarism is just confirmation of your superior knowledge. Some of the information maybe wrong, I am certain the grammar is wrong, but it is written with the best interests at heart.
1 409 410 411 412 413 3,841