Novell products and OpenSSL DROWN vulnerability (CVE-2016-0800)

  • 7017316
  • 01-Mar-2016
  • 03-Mar-2016

Environment

OpenSSL released a security advisory on March 1, 2016 including a high severity vulnerability (CVE-2016-0800) that could allow an attacker to compromise TLS session keys. 

Situation

The attack requires OpenSSL be configured to allow SSLv2 and/or EXPORT ciphers, and is unique in that a poorly configured service can be used to compromise a properly configured service using the same RSA key.

Resolution

The newly released version of OpenSSL addresses this vulnerability by disabling SSLv2 and EXPORT ciphers by default. Novell products are not affected as they have already been configured by default to disallow SSLv2 and EXPORT ciphers for quite some time.

Note that if the customer environment includes non-Novell services that are configured insecurely to allow SSLv2 and/or EXPORT ciphers AND share an RSA key with properly configured Novell services then the Novell services could be compromised as a result. Customers should work with all vendors to ensure that their TLS services are properly configured.
 
For Novell web applications (such as ZMM and GroupWise WebAccess and Calendar Publishing) that are hosted in existing web servers please consult your web server documentation to ensure that your web server is configured properly to disable SSLv2:
IIS - For more information on how to verify that IIS is configured to disable SSL v2, see Microsoft's web site (such as https://technet.microsoft.com/en-us/library/dd450371.aspx) or contact Microsoft technical support.
Apache - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol (Note: if you are running Apache on OES/SLES and apply the OS patch then a manual configuration of Apache is unnecessary as SSLv2 will be disabled by default in the updated version of OpenSSL)

For more information, please see:

Status

Security Alert