Skip to main content
ExLibris

Knowledge Assistant

BETA
 
  • Subscribe by RSS
  • Back
    Cross-Product

     

    Ex Libris Knowledge Center
    1. Search site
      Go back to previous article
      1. Sign in
        • Sign in
        • Forgot password
    1. Home
    2. Cross-Product
    3. Security
    4. Advisories
    5. Security Advisory- DROWN vulnerability (CVE-2016-0800) – Updated March 6, 2016

    Security Advisory- DROWN vulnerability (CVE-2016-0800) – Updated March 6, 2016

    1. Last updated
    2. Save as PDF
    3. Share
      1. Share
      2. Tweet
      3. Share
    1. Subject: DROWN vulnerability (CVE-2016-0800) – Updated March 6, 2016
      1. Overview
      2. Protocol versions
      3. Effective Security Severity Level:
      4. Affected Systems:
      5. Tests and Certifications:
      6. Actions Taken for Hosted Systems:
      7. Required Actions for On-Premises and Local Systems:

    Subject: DROWN vulnerability (CVE-2016-0800) – Updated March 6, 2016

    Overview

    Ex Libris has been made aware of a recently discovered vulnerability known as DROWN (Decrypting RSA with Obsolete and Weakened Encryption) that affects HTTPS and other services that rely on SSL/TLS implementations and is rated as “High”.  

    An unauthorized user can execute this vulnerability to read or steal information sent via the ‘secure connection’ by decrypting the SSL session.The attack will succeed as long as the targeted system supports the SSLv2, even if the system is not running SSLv2.  This flaw is in the SSLv2 protocol, and affects all implementations.

    A server is vulnerable to a DROWN attack if either of the following two conditions are met:

    1. It supports SSLv2 requests
    2. Its private key is used on any other server that allows SSLv2 connections, even for newer SSL/TLS
    Protocol versions

    Detailed information about this vulnerability can be found in the Red Hat advisory CVE-2016-0800 where more information is available.
    Additional references
    More detailed analysis of this vulnerability is available from:

    • https://access.redhat.com/articles/2176731
    • https://drownattack.com/
    • https://www.us-cert.gov/ncas/current...2-DROWN-Attack
    Effective Security Severity Level:

    High

    Affected Systems:

    Ex Libris products using SSL traffic (HTTPS) where SSLv2 is still enabled.

    Tests and Certifications:

    The mitigation for this vulnerability has been identified and tested and certified for Ex Libris products.

    Actions Taken for Hosted Systems:

    Ex Libris cloud is protected from this vulnerability.

    Required Actions for On-Premises and Local Systems:

    Ex Libris strongly recommends the following:

    1. Apply the latest 3rd party update using Util SP command as explained in the Ex Libris article.
    2. As a best practice, add the following mitigation: 
    3. Back up the Apache ssl.conf file  
    4. Update the ssl.conf file  with the following lines:
    • SSLProtocol all -SSLv2 -SSLv3
    • SSLHonorCipherOrder on
    • Replace the SSLCipherSuite setting with the following:  

    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-
    GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-
    SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
    SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-
    AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-
    SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-
    SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DES-
    CBC3-
    SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSSDES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA  

     

    View article in the Exlibris Knowledge Center
    1. Back to top
      • Security Advisory- VENOM vulnerability (CVE-2015-3456) – Updated May 14, 2015
      • Security Advisory- Misuse of SEND TO email function –Update May 18, 2017 and Update June 7, 2017
    • Was this article helpful?

    Recommended articles

    1. Article type
      Topic
      Content Type
      Documentation
      Language
      English
      Product
      Cross-Product
    2. Tags
      This page has no tags.
    1. © Copyright 2025 Ex Libris Knowledge Center
    2. Powered by CXone Expert ®
    • Term of Use
    • Privacy Policy
    • Contact Us
    2025 Ex Libris. All rights reserved