March 3, 2016
Magento wants its merchants to be aware of a new vulnerability in servers using SSL and TLS. Known as DROWN, this vulnerability can be exploited to decrypt and steal secure HTTPS communications. This is not a Magento-specific issue, so merchants at risk for this attack include those with:
Servers supporting SSLv2, a 1990s-era encryption protocol
Servers using the updated TLS protocol when they share the same private key with another server (like a mail server) that supports SSLv2
We urge merchants to visit the DROWN attack site to determine if their site is vulnerable. Merchants at risk should consult with their hosting provider to develop a solution that works for their site, such as disabling SSLv2. This is also a good opportunity to make sure that their installed OpenSSL libraries are patched or upgraded to the latest version. They can test their HTTPS configurations using https://www.ssllabs.com/ssltest/.
As part of our comprehensive approach to security, Magento regularly shares updates on security issues that may be useful for our merchants, even if these issues are not related to our core technology.