Environment
NetIQ Identity Manager 4.5.x
Situation
Is Identity Manager susceptible to the DROWN attack?
Resolution
In technical terms, DROWN is a new form of cross-protocol Bleichenbacher padding oracle attack (http://crypto.stackexchange.com/questions/12688/can-you-explain-bleichenbachers-cca-attack-on-pkcs1-v1-5). It allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key
CVE:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800
Details:
What is vulnerable?
Any server product which provides SSLv2, or is potentially hosted under SSLv2 is potentially vulnerable.
IDM is not vulnerable to the DROWN attack because
- The native components utilizing OpenSSL already disabled SSLv2 (&SSLv3) as a part of the POODLE fix.
- Java apps using JSSE are not vulnerable as SSLv2 is not implemented