Security Advisory- DROWN vulnerability (CVE-2016-0800) – Updated March 6, 2016
Subject: DROWN vulnerability (CVE-2016-0800) – Updated March 6, 2016
Ex Libris has been made aware of a recently discovered vulnerability known as DROWN (Decrypting RSA with Obsolete and Weakened Encryption) that affects HTTPS and other services that rely on SSL/TLS implementations and is rated as “High”.
An unauthorized user can execute this vulnerability to read or steal information sent via the ‘secure connection’ by decrypting the SSL session.The attack will succeed as long as the targeted system supports the SSLv2, even if the system is not running SSLv2. This flaw is in the SSLv2 protocol, and affects all implementations.
A server is vulnerable to a DROWN attack if either of the following two conditions are met:
- It supports SSLv2 requests
- Its private key is used on any other server that allows SSLv2 connections, even for newer SSL/TLS
Detailed information about this vulnerability can be found in the Red Hat advisory CVE-2016-0800 where more information is available.
More detailed analysis of this vulnerability is available from:
Effective Security Severity Level:
Ex Libris products using SSL traffic (HTTPS) where SSLv2 is still enabled.
Tests and Certifications:
The mitigation for this vulnerability has been identified and tested and certified for Ex Libris products.
Actions Taken for Hosted Systems:
Ex Libris cloud is protected from this vulnerability.
Required Actions for On-Premises and Local Systems:
Ex Libris strongly recommends the following:
- Apply the latest 3rd party update using Util SP command as explained in the Ex Libris article.
- As a best practice, add the following mitigation:
- Back up the Apache ssl.conf file
- Update the ssl.conf file with the following lines:
- SSLProtocol all -SSLv2 -SSLv3
- SSLHonorCipherOrder on
- Replace the SSLCipherSuite setting with the following: