Summary
The logjam and the short Diffie-Hellman key vulnerabilities
Environment
All supported platforms and versions
Question/Problem Description
The following two vulnerabilities apply to the VisiBroker products:
Logjam:
The so-called Logjam vulnerability relies upon the ability to downgrade a cipher set negotiation to use export strength 40-bit ciphers.
Passive eavesdropping is possible due to re-use of short Diffie-Hellman keys:
Through the use of massive amounts of computing power, it is possible to eavesdrop passively upon packet exchanges that are protected using well-known Diffie-Hellman keys of 1024bit or lower. The amount of processing power required is only likely to be within the reach of very large corporations or nation states.
Resolution
Logjam
In its default installation state VisiBroker does not allow negotiation of export strength ciphers and is therefore not vulnerable to the Logjam attack.
However, to enable backward compatibility it is possible for customers to deliberately configure the use of export ciphers in VisiBroker installations.
We strongly recommend that customers do not configure the use of export strength ciphers. However if customers must use export strength ciphers, we recommend that this use only takes place within a secure, preferably isolated, network environment.
Passive eavesdropping is possible due to re-use of short Diffie-Hellman keys:
Until the release of a patch to VisiBroker that contains both new and larger keys, Customers who are concerned about this vulnerability should use non-DH cipher suites, or elliptic-curve DH (ECDH) cipher suites, or DH cipher suites with group sizes larger than 1024 bits.
Note: To avoid previously published vulnerabilities we always recommend that VisiBroker customers use the OpenSSL security provider.
Notes
The information in the above article is accurate as of May 22nd, 2015. This article will be amended as needed.
#Vulnerabilities
#Security
#VisiBroker
