Logjam TLS vulnerability and eDirectory

  • 7016539
  • 27-May-2015
  • 15-Jun-2015

Environment

NetIQ eDirectory 8.8 SP8
NetIQ iManager 2.7 SP7

Situation

A new flaw has been found in TLS.  Like the Freak vulnerability identified previously Logjam tricks a server into using older 512-bit export-grade keys which are decrypted easily.  This can result in a man-in-the-middle attack.
 

Resolution

This vulnerability only affects servers that support DHE_EXPORT ciphers.  By default, neither eDirectory nor iManager's Tomcat have this cipher enabled. 
 
Note: the admin can manually expose Tomcat to this vulnerability if a low cipher level is manually specified.
(iManager -> configure -> iManager Server -> Configure iManager -> Encryption -> cipher level = low).  If the low cipher level is selected in iManager, the DHE_EXPORT cipher suites will be enabled.  This operation modifies the Apache Tomcat configuration file (server.xml) and adds the weak cipher suites. Support's recommendation is to not lower the cipher level. 
 

Additional Information

Additional OpenSSL vulnerabilties were reported after this notice.  eDirectory is susceptable to two of these.  Below are eDirectory's exposure to each:
 
  • Affected
    • CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
      • Moderate - an OpenSSL bug that results in an infinite loop causing a DOS.
    • CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent
      • Moderate - PKCS7 crash with missing EnvelopedContent leading to a DOS
  • Not affected
    • CVE-2015-4000 (Logjam)
      • eDirectory is not vulnerable
    • CVE-2015-1788 - Malformed ECParameters causes infinite loop (CVE-2015-1788)
      • NTLS does not support EC (Logjam)
    • CVE-2015-1792 - CMS verify infinite loop with unknown hash function
      • NTLS does not have this code
    • CVE-2015-1791 - Race condition handling NewSessionTicket
      • NTLS does not have this code
    • CVE-2014-8176 - Invalid free in DTLS
      • NTLS does not support DTLS
  • Feedback service temporarily unavailable. For content questions or problems, please contact Support.