[sssForm]

Security Advisory

#CVE-2015-7575
Published: Wednesday, February 17th, 2016
Last Update: Wednesday, February 17th, 2016
Summary

This security advisory addresses CVE-2015-7575, pertaining to TLS1.2 in non FIPS compliant versions of ACOS.

Details

TLS 1.2 allows for the client and server to negotiate the hash algorithm they use. This was designed to allow the use of stronger hash functions, however it does allow for the use of the weaker MD5, which effectively weakens the authentication.

In the FIPS compliant versions of ACOS, this hash is specifically disabled; however the rest of the code is affected.

Although unlikely to exploit, if the vulnerability is exploited it can give the attacker one of two advantages. They may be able to forge a client certificate thus thwart certificate based client authentication. The second vulnerability would allow for key to be forged while using the server-key-exchange option.

This vulnerability requires the attacker is positioned on the network in a way allowing for the intercept of traffic and is very complex and difficult to exploit.

Affected Releases
Releases Affected Releases Resolved or Unaffected
Workarounds and Mitigations
Software Updates

Software updates resolving this potential vulnerability will be published at the following URL when available: click here
The following table summarizes update versions resolving all of the above CVEs.

Vulnerable Release Resolved Release
4.0.1 4.1.0
3.x 3.2.1
2.7.2-P7 2.7.2-P8
2.7.1-GR1 2.7.1-GR1-P1
2.8.2-P4 2.8.2-P5
Vulnerability Details

Software updates resolving this potential vulnerability will be published at the following URL when available: click here
The following table summarizes update versions resolving all of the above CVEs.

Vulnerable Release Resolved Release
4.0.1 4.1.0
3.x 3.2.1
2.7.2-P7 2.7.2-P8
2.7.1-GR1 2.7.1-GR1-P1
2.8.2-P4 2.8.2-P5
Vulnerability ID Vulnerability Description
Acknowledgements
Modification History
Revision Date Description
1.0 Saturday, August 22nd, 1970

Created web page