OpenSSL versions that only allow ephemeral RSA keys in export ciphersuites (FREAK) (VUL-0: CVE-2015-0204)
This document (7016252) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 10 Service Pack 4 (SLES 10 SP4)
SUSE Linux Enterprise Server 10 Service Pack 3 (SLES 10 SP3)
SUSE Linux Enterprise Server 10 Service Pack 2 (SLES 10 SP2)
SUSE Linux Enterprise Server 10 Service Pack 1 (SLES 10 SP1)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
SUSE Linux Enterprise Server 11 Service Pack 2 (SLES 11 SP2)
SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)
SUSE Linux Enterprise Server 12
Expanded Support 6 (RES 6)
Expanded Support 7 (RES 7)
The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered
Some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys.
Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas.
Websites for this issue and further details can be found here and here
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.1 users should upgrade to 1.0.1k
OpenSSL 1.0.0 users should upgrade to 1.0.0p
OpenSSL 0.9.8 users should upgrade to 0.9.8zd
*Please note that the SUSE released versions do not necessarily match the upstream community released versions.
For Expanded Support (RES) the following OpenSSL versions have the fix included already:
Please note that another OpenSSL update will be available soon for RHEL7.
It is also required to check if any of the following services are still offering EXPORT ciphers and if that is the case, remove them via the OpenSSL Command-Line tool:
For HTTPS services (webservices):
openssl s_client -connect example.com:443 -cipher EXPORT
For SMTP servers with SSL:
openssl s_client -connect example.com:smtp -starttls smtp -cipher EXPORT
For IMAP server with SSL:
openssl s_client -connect example.com:imaps -cipher EXPORT
For POP3 server with SSL:
openssl s_client -connect example.com:pop3s -cipher EXPORT
RSA key exchange ciphersuite. A server could present a weak temporary key
and downgrade the security of the session.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7016252
- Creation Date:04-MAR-15
- Modified Date:05-MAR-15
- SUSESUSE Linux Enterprise Server