tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: CVE-2015-0204 - FREAK vulnerability on tomcat 7.
Date Fri, 15 May 2015 12:37:33 GMT
> From: Penubothu, Srinivasa M [mailto:srinivasa.penubothu@bankofamerica.com] 
> Subject: RE: CVE-2015-0204 - FREAK vulnerability on tomcat 7.

> Title: SSL/TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
> CVE ID: CVE-2015-0204

That particular CVE number is only for the OpenSSL client side of the problem.  Whether or
not your server accepts RSA export keys is controlled by configuration, and is not officially
a CVE item.

> Diagnosis: The remote SSL/TLS server accepts RSA_EXPORT cipher suites which is vulnerable

> to session downgrade vulnerability.
> Result: Exploitation allows an attacker to bypass security restrictions on the targeted
host.
> Recommended Solution: Disable RSA_EXPORT cipher suites.

> Trying to find how to apply this fix in Tomcat 7. Appreciate your help!

Read this mailing list thread:
http://marc.info/?l=tomcat-user&m=142911397006702&w=2

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message