Rocket Advisory Notice on FREAK OpenSSL Vulnerability – Rocket U2 Databases
What You Need to Know
PadlocksWe’d like to help answer some questions about a discovered vulnerability in the SSL and TLS cryptographic protocols.
On March 6, a vulnerability referred to as “FREAK” was announced (read US-CERT statement). This means hackers could intercept and decrypt communications between affected clients and servers.
The Bottom Line
“FREAK” (Factoring Attack on RSA-EXPORT Keys), facilitates man-in-the-middle (MITM) attacks against secure connections where the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or uses an older, unpatched version of OpenSSL.
Once the encryption is broken by attackers, they could steal passwords as well as other personal information and potentially launch further attacks against the Web site.
OpenSSL 1.0.1m, which was released on March 19, 2015, contains a patch for the OpenSSL Man in the Middle Security Bypass Vulnerability (CVE-2015-0204).
Rocket’s Recommended Actions for U2 Databases
Rocket U2 databases using OpenSSL versions less than 1.0.1m are susceptible to the “FREAK Vulnerability.”
Rocket products within the Rocket U2 family which are affected and can be patched:
Rocket® UniVerse 11.1.14 and above, 11.2
Rocket® UniData 7.3.7 and 8.1
Rocket® U2 Toolkit for .NET 2.1
Rocket® wIntegrate - 6.3.7 and higher
Rocket® SB Client - 6.30 and SB/XA 6.30
Rocket® U2 Clients - NOV2012 and higher
Rocket strongly recommends that you upgrade to our OpenSSL 1.0.1m libraries as soon as possible. You must obtain these libraries from us as we have integrated them into our products.
Use the hyperlink to our Public Tech Note # 1410041 for more details including information on how to download our latest SSL drivers 1.0.1m, for each of the Rocket products listed, from our Rocket Customer Portal.
We also advise Web server owners to disable support for export grade encryption as well as to check that any other known insecure ciphers are also disabled.
Visit the United States Computer Readiness Team’s Web site posting for specifics about the FREAK vulnerability.
See Vulnerability Summary CVE-2015-0204 issued by NIST (National Institute of Standards and Technology) within its National Vulnerability Database / Cyber Awareness System.