Novell is now a part of Micro Focus

My Favorites

Close

Please to see your favorites.

Novell products and OpenSSL DROWN vulnerability (CVE-2016-0800)

This document (7017316) is provided subject to the disclaimer at the end of this document.

Environment

OpenSSL released a security advisory on March 1, 2016 including a high severity vulnerability (CVE-2016-0800) that could allow an attacker to compromise TLS session keys. 

Situation

The attack requires OpenSSL be configured to allow SSLv2 and/or EXPORT ciphers, and is unique in that a poorly configured service can be used to compromise a properly configured service using the same RSA key.

Resolution

The newly released version of OpenSSL addresses this vulnerability by disabling SSLv2 and EXPORT ciphers by default. Novell products are not affected as they have already been configured by default to disallow SSLv2 and EXPORT ciphers for quite some time.

Note that if the customer environment includes non-Novell services that are configured insecurely to allow SSLv2 and/or EXPORT ciphers AND share an RSA key with properly configured Novell services then the Novell services could be compromised as a result. Customers should work with all vendors to ensure that their TLS services are properly configured.
 
For Novell web applications (such as ZMM and GroupWise WebAccess and Calendar Publishing) that are hosted in existing web servers please consult your web server documentation to ensure that your web server is configured properly to disable SSLv2:
IIS - For more information on how to verify that IIS is configured to disable SSL v2, see Microsoft's web site (such as https://technet.microsoft.com/en-us/library/dd450371.aspx) or contact Microsoft technical support.
Apache - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol (Note: if you are running Apache on OES/SLES and apply the OS patch then a manual configuration of Apache is unnecessary as SSLv2 will be disabled by default in the updated version of OpenSSL)

For more information, please see:

Status

Security Alert

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7017316
  • Creation Date:01-MAR-16
  • Modified Date:03-MAR-16
    • NovellDesktop Containers (ZENworks Application Virtualization)
      Filr
      GroupWise
      Mobile Management (ZENworks Mobile Management)
      Messenger
      Open Enterprise Server
      Service Desk
      Vibe
      ZENworks Asset Management
      ZENworks Configuration Management
      ZENworks Desktop Management
      ZENworks Endpoint Security Management
      ZENworks Full Disk Encryption
      ZENworks Handheld Management
      ZENworks Linux Management
      ZENworks Patch Management
      ZENworks Server Management

Did this document solve your problem? Provide Feedback