Patch to address OpenSSL issue for proxy servers (UPDATE)
Article ID: 161897
Updated On:
Products
Mobility Suite
Issue/Introduction
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
For more information about this vulnerability, go to the following link: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204
For more information about this vulnerability, go to the following link: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204
Resolution
Apply a patch to your proxy:
1. Download the file (Proxy_x86_64_R5.22.openssl101m.patch.zip ) attached to this KB. Unzip the file. The unzipped file is an ISO that contains a script. The script detects App Proxy or Email Proxy installation, displays currently used versions of OpenSSL and the version to be applied, and prompts you to apply the patch.
2. After you extract the .iso file, mount the .iso on your app proxy, email proxy or secure proxy server.
3. Type the following command:
./apply.sh
- Note: Symantec Secure Proxy integrates it's own captive OpenSSL instance directly. Symantec Secure Proxy does not use or modify any other OpenSSL instances, including one that your operating system may use by default. The attached patch fixes Symantec Secure Proxy's captive OpenSSL instance. You may need to upgrade/patch your operating system separately.
Attachments
Feedback
Yes
No
Powered by
