The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
For more information about this vulnerability, go to the following link: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204
Apply a patch to your proxy:
1. Download the file (Proxy_x86_64_R5.22.openssl101m.patch.zip ) attached to this KB. Unzip the file. The unzipped file is an ISO that contains a script. The script detects App Proxy or Email Proxy installation, displays currently used versions of OpenSSL and the version to be applied, and prompts you to apply the patch.
2. After you extract the .iso file, mount the .iso on your app proxy, email proxy or secure proxy server.
3. Type the following command: