Customer Security Notice on CVE-2015-4000 (Logjam) and CVE-2015-0204 (FREAK)

by | Aug 16, 2015

The engineering team at Deskera has been working to assess the impact for our customers in the wake of recent disclosures of CVE-2015-4000 popularly known as Logjam

Logjam vulnerability allows a man-in-the-middle network attacker to downgrade a Transport Layer Security (TLS) connection to use export-grade cryptography, allowing him to read the exchanged data and inject data into the connection. It affects the HTTPS, SMTPS, and IMAPS protocols, among others.

and CVE-2015-0204 which is also known as FREAK.

FREAK (“Factoring RSA Export Keys”) is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or less (so-called RSA_EXPORT keys), with the intention of allowing them to be broken easily by the NSA, but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s

In our endeavor to keep your Deskera account secure, we are responding to this critical vulnerability in OpenSSL’s handling of Diffie–Hellman key exchange and we’ve conducted a comprehensive security review in response. Based on the recommendations provided here, we have taken preventive action to safeguard Deskera services. Given the threat posed by this vulnerability and considering its visibility, we are proactively patching our affected services. The security of your Deskera account is of utmost importance to us and we have determined this to be the best and swiftest course of action. Further:

  1. The list of all ciphers supported by Java
  2. Ciphers recommended by NSA
  3. Whitelisting ciphers in Jetty web server for each SSLConnector block
    <Set name="includeCipherSuites">
        <Array type="java.lang.String">
            <Item>...</Item>
        </Array>
    </Set>
    

As always, if you have any questions about the security of your Deskera account, contact us at support@deskera.com.

Share This