Share with friends and colleagues on social media

Earlier today a security vulnerability known as “DROWN” was announced.  SUSE was on top of it and already has patches available for SUSE Linux Enterprise.

What is “DROWN”?

“DROWN” is an acronym that stands for “Decrypting RSA using Obsolete and Weakened eNcryption”.  Also known as CVE-2016-0800.

DROWN_diagram1It allows an attacker to decrypt a TLS connection between the client and server by sending probes to the server — so long as that server supports SSLv2 using the same private key.

Is my system vulnerable?

Due to the wide-spread usage of SSLv2, across the Internet, the DROWN vulnerability can impact a large number of servers.   If you’re server uses both TLS and SSLv2, it may be vulnerable.

How do I fix this vulnerability?

This vulnerability can be avoided by disabling the SSLv2 protocol in all of the SSL/TLS servers.

SUSE has release a patch that will disable SSLv2 protocol altogether, by default, as well as disabling all EXPORT ciphers — thus securing the vulnerability.  The patch also checks environment variables to allow customers to unbreak applications that need SSLv2.

Those patches are available for the following systems:

SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 Service Pack 1
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 LTSS (SLES 11 SP3 LTSS)
SUSE Linux Enterprise Server 11 Service Pack 2 LTSS (SLES 11 SP2 LTSS)

Share with friends and colleagues on social media
Tags: , , , ,
Category: Enterprise Linux, Expert Views, SUSE Linux Enterprise Server, Technical Solutions
This entry was posted Tuesday, 1 March, 2016 at 10:24 am
You can follow any responses to this entry via RSS.

Comments

  • rjschwei rjschwei says:

    Images maintained by SUSE in Amazon EC2, Google Compute Engine, and Microsoft Azure with a date indicator of v20160301 or greater include the changes in OpenSSL that address DROWN

  • Leave a Reply

    Your email address will not be published. Required fields are marked *