Environment
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
Situation
A bug in the openssl libraries allows a client to accept a weaker export grade RSA key. This is only applicable in scenarios where the server supports the EXPORT cipher suites. This allows a man in the middle to negotiate a weaker protocol with the server than the client asked for and then “trick” the client into accepting the weaker key. With the weaker encryption in place, the traffic between the client and server can be more easily decrypted using known attacks on the RSA export encryption.
From Mitre:
From Mitre:
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.
Severity: Low
Resolution
Install available patches for affected products as soon as possible
Additional Information
Impacted Novell Products:
- Novell Filr – Not Vulnerable
- Novell iPrint Appliance – Not Vulnerable
- Novell Open Enterprise Server – Patches available
- Novell GroupWise – Not Vulnerable
- Novell Messenger – Not Vulnerable
- Novell eDirectory - Currently being analyzed
- Novell Client - Currently being analyzed
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204