Impact of vulnerability "Logjam" existing in DH key exchange on CA Single Sign-On

Document ID : KB000009032
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Is there any impact for the vulnerability "Logjam" which exists in DH key exchange.

Cause:

CVE-2015-4000 Logjam vulnerability description is as follows: 

"The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue." 

 

Resolution:

Related to CA Single Sign-On product, R12.5x, In CAPKI(ETPKI), 

No impact since all EXPORT ciphers are disabled by default, however this can be changed by the embedding products through an API. 

CAPKI has been upgraded to 5.1.0 in 12.52 SP1 CR06. 

 

In CA SPS(Secure Proxy Server), OpenSSL is bundled. There may be impact. 

However OpenSSL has been upgraded to 1.0.1p in 12.52 SP1 CR4. 

 

For AdminUI, below is reported. 

When using the Chrome or Firefox web browsers to connect to the CA SSO Administrative UI (WAMUI) the connection fails and the browsers return Diffie-Hellman key errors. 

This issue is occurring in the default configuration of the underlying JBOSS application server, which is bundled with the WAMUI as the 'WAMUI-Prereq". 

To resolve this JBOSS 'server.xml' will need to be manually modified. 

https://support.ca.com/us/knowledge-base-articles.TEC1346659.html