Identity Manager : OpenSSL vulnerability DROWN (CVE-2016-0800)

  • 7017374
  • 16-Mar-2016
  • 16-Mar-2016


NetIQ Identity Manager 4.5.x


Is Identity Manager susceptible to the DROWN attack?


In technical terms, DROWN is a new form of cross-protocol Bleichenbacher padding oracle attack ( It allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSLv2 server that uses the same private key



What is vulnerable?

Any server product which provides SSLv2, or is potentially hosted under SSLv2 is potentially vulnerable.

IDM is not vulnerable to the DROWN attack because

  • The native components utilizing OpenSSL already disabled SSLv2 (&SSLv3) as a part of the POODLE fix.
  • Java apps using JSSE are not vulnerable as SSLv2 is not implemented