Customer Security Notice on CVE-2015-4000 (Logjam) and CVE-2015-0204 (FREAK)
Logjam vulnerability allows a man-in-the-middle network attacker to downgrade a Transport Layer Security (TLS) connection to use export-grade cryptography, allowing him to read the exchanged data and inject data into the connection. It affects the HTTPS, SMTPS, and IMAPS protocols, among others.
FREAK (“Factoring RSA Export Keys”) is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or less (so-called RSA_EXPORT keys), with the intention of allowing them to be broken easily by the NSA, but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s
- The list of all ciphers supported by Java
- Ciphers recommended by NSA
- Whitelisting ciphers in Jetty web server for each SSLConnector block
<Set name="includeCipherSuites"> <Array type="java.lang.String"> <Item>...</Item> </Array> </Set>
As always, if you have any questions about the security of your Deskera account, contact us at firstname.lastname@example.org.