Article ID: 162027
A new OpenSSL vulnerability issue is found and it is described in the following articles:
Note that this issue affects ITMS 7.5 and ITMS 7.6 in scenarios where Symantec Management Agent is establishing HTTPS connection to a server that supports EXPORT ciphers.
- According to the Microsoft's "Cipher Suites in Schannel" article, EXPORT ciphers are disabled by default on Windows 2008 and newer, but administrators may want to double-check that they were not enabled manually.
- The site servers that are installed on Windows 2003 or Linux platform with Apache 2.2 may be affected, because Apache 2.2 default configuration enables EXPORT ciphers. (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite)
- CEM Internet gateway is affected by this issue as it is using Apache 2.2.
The solution is to disable EXPORT ciphers on all servers in the environment.
Note that there is a new version of OpenSSL available in some of the ITMS pointfixes and hotfixes.
- See Microsoft’s article https://support.microsoft.com/en-us/kb/245030 on how to do this on Windows computers.
- The suggestion below works for Apache servers - Linux Package Servers and CEM Internet Gateway:
Add !EDH to SSLCipherSuites option in the SSL section of the Apache config file.
Example: SSLCipherSuites !EDH
For more information, see the following article: