ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Patch to address OpenSSL issue for proxy servers (UPDATE)

book

Article ID: 161897

calendar_today

Updated On:

Products

Mobility Suite

Issue/Introduction

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.

For more information about this vulnerability, go to the following link: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204

Resolution

Apply a patch to your proxy:

 1. Download the file (
Proxy_x86_64_R5.22.openssl101m.patch.zip ) attached to this KB.  Unzip the file.  The unzipped file is an ISO that contains a script.  The script detects App Proxy or Email Proxy installation, displays currently used versions of OpenSSL and the version to be applied, and prompts you to apply the patch.

2.  After you extract the .iso file,  mount the .iso on your app proxy, email proxy or secure proxy server.

3.   Type the following command:

      ./apply.sh

 

  • Note: Symantec Secure Proxy integrates it's own captive OpenSSL instance directly.  Symantec Secure Proxy does not use or modify any other OpenSSL instances, including one that your operating system may use by default.  The attached patch fixes Symantec Secure Proxy's captive OpenSSL instance.  You may need to upgrade/patch your operating system separately.

Attachments

Proxy_x86_64_R5.22.openssl101m.patch.zip get_app