Share:|

The OpenSSL project have released information on what has been called the DROWN attack.

 

In summary - SSLv2 is dead, gone, kaput. Well, unless you build OpenSSL specifically with SSLv2 enabled. Also the SSLv2 export ciphers are removed.

 

There are a large number of vulnerabilities in SSLv2 (see the OpenSSL advisory for some of them) so it's surprising that it's taken so long to be honest and, according to the attack website, at least a quarter of the top 1 million domains are still vulnerable. Yowser.

 

So ... to ADDM Discovery. The openssl on RHEL6 is affected - as in it has not had SSLv2 disabled - as is the version of the OpenSSL libraries we use in the proxy. However, SSLv2 is disabled on the Apache server and the appliance-proxy communication uses TLSv1.2 so ADDM Discovery is not vulnerable to the attack.

 

The vulnerability has been classed "Important" by Red Hat and has a CVSS of 5.8. These factors combined mean we will package up the openssl RPM change in the next OSU (after it's available from Red Hat) and the proxy build will be updated for next releases.