CVE-2015-0204 OpenSSL Vulnerability aka “FREAK”

  • 7016260
  • 04-Mar-2015
  • 31-Mar-2015


Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1


A bug in the openssl libraries allows a client to accept a weaker export grade RSA key. This is only applicable in scenarios where the server supports the EXPORT cipher suites. This allows a man in the middle to negotiate a weaker protocol with the server than the client asked for and then “trick” the client into accepting the weaker key. With the weaker encryption in place, the traffic between the client and server can be more easily decrypted using known attacks on the RSA export encryption.The Novell server products listed below as “Not Vulnerable” are configured by default to disallow the EXPORT cipher suites thereby invalidating this attack.

From Mitre:
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before  1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force  decryption by offering a weak ephemeral RSA key in a noncompliant role. 
Severity: Low 


Install available patches for affected products as soon as possible

Additional Information

Impacted Novell Products:

  • Novell Filr – Not Vulnerable
  • Novell iPrint Appliance – Not Vulnerable
  • Novell Open Enterprise Server – Patches available
  • Novell GroupWise – Not Vulnerable
  • Novell Messenger – Not Vulnerable
  • Novell eDirectory - Currently being analyzed
  • Novell Client - Currently being analyzed