Logjam Attack (weakdh) and Attachmate Products

  • 7021978
  • 20-May-2015
  • 02-Mar-2018

Environment

All Attachmate products

Situation

In May 2015, researchers announced weaknesses in Diffie-Hellman key exchange that is used in many encrypted connection protocols (CVE-2015-4000). This technical note provides information on affected products.

The Diffie-Hellman (DH) key exchange is a method of securely exchanging cryptographic keys over a public channel. This method is used by a number of encrypted connection protocols.

With TLS protocol version 1.2 and earlier, if the DHE_EXPORT ciphersuite is supported by the server, man-in-the-middle attackers can conduct cipher-downgrade attacks. The client can be forced to use a weaker ciphersuite, even though the client does not have it enabled.

Additionally, in any TLS or SSH connection with both server and client enabled to use weaker DH Groups for key exchange, an attacker can passively eavesdrop and decrypt sessions. Groups with 1024-bit length or less are considered vulnerable, which includes the 512-bit export DH.

Resolution

Product Information

Refer to the information below for your product(s). If your product is under investigation, check again later as this technical note will be updated when new information becomes available.

Product
Security Updates
Databridge
Not affected
Extra!
See Security Alerts - Extra!
FileXpress Gateway
See Security Alerts - Reflection for Secure IT Gateway
InfoConnect products
See https://support.microfocus.com/security/
Reflection PKI Services Manager
Not affected
Reflection X Advantage
See Security Alerts - Reflection X Advantage
Reflection 2014 products
See Security Alerts - Reflection Desktop
Reflection 14.1 products
See https://support.microfocus.com/security/
Reflection for Secure IT Client for Windows
See https://support.microfocus.com/security/
Reflection for Secure IT Server for Windows
See https://support.microfocus.com/security/
Reflection for Secure IT Client and Server for UNIX
See https://support.microfocus.com/security/
Reflection for UNIX (iOS/Android)
Under investigation
Reflection for the Web 2014 products
See https://support.microfocus.com/security/
Reflection Security Gateway 2014
See https://support.microfocus.com/security/
Reflection ZFE
Not affected
Verastream Host Integrator
See https://support.microfocus.com/security/

Status

Security Alert

Additional Information

Legacy KB ID

This article was originally published as Attachmate technical note 2795.