Array Networks announces that its Array Networks products are NOT exposed to the DROWN vulnerability. As described on the DROWN Attack Website, DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security.
Unlike hardware and software vendors that have integrated OpenSSL into their core product and service offerings or rely on SSLv2, Array is unaffected because the company is known to use a proprietary SSL stack to process SSL, TLS and DTLS service traffic. Array also does not permit the use of the weak SSLv2 protocol.
Array products – including APV, vAPV, AG, vxAG and even end-of-sale TMX and SPX products – use a proprietary SSL stack to process all SSL, TLS and DTLS service traffic. Therefore, service traffic on Array products is unaffected by the OpenSSL DROWN vulnerability. Further, because the use of SSLv2 is not allowed, the impact of the latest OpenSSL vulnerability is fully mitigated
DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Measurements indicate 33% of all HTTPS servers are vulnerable to the attack.
“As a leader in application delivery, we are happy to report that Array is not affected by the DROWN vulnerability,” said Michael Zhao, President and CEO of Array Networks. “The time and attention we pay to creating our own implementations not only deliver superior performance, scalability and economics for customers that transact business on the Web, it also ensures that customers are not exposed to vulnerabilities that so often arise from use of open technologies.”
Customers using Array application delivery solutions do not need to take any measures to patch or remediate the company’s products. Moreover, companies offloading SSL on Array appliances benefit from a “first line of defense” that mitigates exposure to the DROWN vulnerability in the event that other elements in the network are affected.
Additionally, the company also claims to be unaffected by other recent vulnerabilities including Heartbleed, BASH and a number of other OpenSSL and general security advisories.