Proactive Notification Advisory - WADE: CVE-2015-0204 "FREAK" Vulnerability

Document created by Mark_Hanson Employee on Mar 13, 2015
Version 1Show Document
  • View in full screen mode

Proactive Notification - Advisory.png

 

Dear CA Customer:

On Tuesday, March 03, 2015 a new SSL/TLS vulnerability was disclosed CVE-2015-0204.  This exploit is commonly called FREAK (Factoring attack on RSA-EXPORT Keys).  The vulnerability allows a ‘man in the middle’ attacker to downgrade connections from ‘strong’ RSA to ‘export’ grade RSA. The National Vulnerability Database gives this vulnerability a MEDIUM risk rating using the Common Vulnerability Scoring System (CVSS).

 

PRODUCT(S) AFFECTED: 

RELEASES:

SystemAgent

11.3.x

 

 

 

 

 

IMPACT:  

 

Some modern SSL/TLS clients, including OpenSSL have a flaw that can force them to accept export-grade RSA if the server supports export RSA. The vulnerability affects a variety of clients.

CA Workload Automation DE schedulers are not exposed.

 

RECOMMENDATION(S):

 

SystemAgent 11.3.x

If the SystemAgent is configured and being used as a FTP server it is potentially vulnerable to a small degree due to use of FTP over SSL (ftps). CA will address this in a future release.

 

Thank you,

CA Workload Automation Team

Attachments

    Outcomes